Flaw resides in BTB helps bypass ASLR

2016-10-20 Thread Peter Janos 
Hello,

http://news.softpedia.com/news/researchers-bypass-aslr-protection-on-intel-ha
swell-cpu-509460.shtml
 
paper:
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf[http://www.cs.ucr.edu/~nael/pubs
/micro16.pdf]
 
could we somehow prevent this attack on OpenBSD?

Re: SSHowDowN

2016-10-18 Thread Peter Janos 
wow, thanks for the reply!


"At the time I was running an AnonCVS server and I had realized that
the anonymously connecting clients could use port forwarding to
bounce TCP connections off the server."


was this fixed meanwhile?

 

Sent: Tuesday, October 18, 2016 at 5:01 PM
From: "Christian Weisgerber" <na...@mips.inka.de>
To: misc@openbsd.org
Subject: Re: SSHowDowN
On 2016-10-18, "Peter Janos" <peterjan...@mail.com> wrote:

> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody
know?

It has always been like this. OpenSSH inherited it from Ylønen-SSH.

In the beginning, OpenSSH didn't even have a configuration option
to disable port forwarding. Sixteen years ago Markus committed the
diff I had submitted that added the AllowTcpForwarding option.

--->
CVSROOT: /cvs
Module name: src
Changes by: mar...@cvs.openbsd.org 2000/10/14 06:12:09

Modified files:
usr.bin/ssh : servconf.c servconf.h serverloop.c session.c
sshd.8

Log message:
AllowTcpForwarding; from naddy@
<---

At the time I was running an AnonCVS server and I had realized that
the anonymously connecting clients could use port forwarding to
bounce TCP connections off the server.

--
Christian "naddy" Weisgerber na...@mips.inka.de
 

Re: SSHowDowN

2016-10-18 Thread Peter Janos 
having the username for password is yes, almost the biggest retarded idiotism
in 2016, but disabling AllowTcpForwarding by default could help a little and a
little in this case is big.

I hope this admin user doesn't have permission to change shell, etc.. And in
this general case (iot) , they have /sbin/nologin, so hopefully not.

That's why AllowTcpForwarding=no by default could help in general.  

heck, it even has a CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653



Sent: Tuesday, October 18, 2016 at 11:05 AM
From: "Christian Gruhl" <cgr...@uni-kassel.de>
To: misc@openbsd.org
Subject: Re: SSHowDowN
On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> default..
>
> so the PDF also states that the "admin" user had /sbin/nologin for shell
>
> --
> http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
...
> Note that disabling TCP forwarding does not improve security unless users
are
> also denied shell access
>
> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody
know?
>
> Thanks.

See the DenyUsers option for sshd_config:
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5[http://man.openbsd.
org/OpenBSD-current/man5/sshd_config.5] That should
allow you to prevent
the forwarding as well.

Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.
 

Re: SSHowDowN

2016-10-18 Thread Peter Janos 
sometimes I send mails in HTML format, sorry for that, mail.com has this by
default..

so the PDF also states that the "admin" user had /sbin/nologin for shell

--
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
 AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The available options are
yes (the default) or all to allow TCP forwarding, no to prevent all TCP
forwarding, local to allow local (from the perspective of ssh(1)) forwarding
only or remote to allow remote forwarding only. Note that disabling TCP
forwarding does not improve security unless users are also denied shell
access, as they can always install their own forwarders.
--
-->>
Note that disabling TCP forwarding does not improve security unless users are
also denied shell access

so having AllowTcpForwarding=NO would help.

Why is it yes by default? someone requested it to be yes? does anybody know?

Thanks.
 


Sent: Tuesday, October 18, 2016 at 10:46 AM
From: "Christian Gruhl" <cgr...@uni-kassel.de>
To: misc@openbsd.org
Subject: Re: SSHowDowN
On 10/18/2016 10:41 AM, Sol��ne Rapenne wrote:
> Le 2016-10-18 10:35, Peter Janos a ��crit :
>> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
>> insecure option "yes" by default?
>>
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshow
down-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pd
f
>>
>> Thanks.
>
> from sshd_config(5)
>
> AllowTcpForwarding
> Specifies whether TCP forwarding is permitted. The available
> options are yes (the default) or all to allow TCP
> forwarding, no
> to prevent all TCP forwarding, local to allow local (from the
> perspective of ssh(1)) forwarding only or remote to allow
> remote
> forwarding only. Note that disabling TCP forwarding does not
> improve security unless users are also denied shell access, as
> they can always install their own forwarders.
>

Also the article states that "We checked our factory-defaulted device
and noticed that the ���admin:admin��� credential pair allows
us to connect to the web-based configuration interface."

Using such a weak password is more likely the problem, than the enabled
TCP forward.

[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
 

SSHowDowN

2016-10-18 Thread Peter Janos 
shouldn't the default be "no" for the AllowTcpForwarding? Why is an
insecure option "yes" by default?
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
Thanks.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Peter Janos 
use S for extras security at the expense of performance. Use other options
only if you know what you are doing and have specific needs.
BTW, ssh and sshd enable S by themselves.
 
-Otto

 
-> so "S" is the best way, Thanks! :)
 
Sent: Friday, October 14, 2016 at 12:20 PM

From: "Otto Moerbeek" <o...@drijf.net>
To: "Peter Janos" <peterjan...@mail.com>
Cc: "openbsd misc" <misc@openbsd.org>
Subject: Re: What are the security features in OpenBSD 6.0 that are by
default disabled?
On Fri, Oct 14, 2016 at 09:21:24AM +0200, Peter Janos wrote:

> Hello,
>
> I know some features that can give additional security isn't turned on due
to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
>
> I only know about these "security hardenings", hopefully all are ok (if
not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf

$ man man.conf | grep security

-Otto
 

Fw: RE: RE: OpenBSD PaX Test question

2016-10-16 Thread Peter Janos 
if anyone interested, correction for the pax topic Sent: Tuesday, October
11, 2016 at 3:57 PM
From: "W. Dean Freeman" <wdfree...@acumensecurity.net>
To: "'Peter Janos'" <peterjan...@mail.com>
Subject: RE: RE: OpenBSD PaX Test questionIncreasing the stack gap size
isn't necessarily bad or good. Basically,
you're adjusting the run-time value of a gap page that gets inserted at
the
top of a new stack frame, so that when an attacker is analyzing a binary
and
attempting to write an exploit, there is an unknown-at-compile-time
number of
bytes which have to be included when building the exploit and attempting
to
over-write the return address to the previous stack frame. It's just one
of a
series of mitigations against buffer overflows (like stack canaries, W^X,
etc.
You're also here adjusting the amount of room there is to play with when
randomzing addresses for ASLR, at least as is my understanding.

So, I doubt it hurts anything, but given the general strength of ASLR,
stack
gaps, stack cookies, the new W^X feature, etc. I'm not sure it's really
necessary. If you really want to play with something fun that may ferret
out
bugs either in your code or in things you get from ports, turn on memory
junking in the /etc/malloc.conf. For a discussion on some fun around
that,
see here:

https://www.youtube.com/watch?v=YYf1U0xcHmk

To the second question, there isn't any magic to what I'm doing in that
program and between screenshots from GDB and a description of what's
going on,
you should be able to reconstruct it. There are three basic tests:
1. Attempt to mmap(2) a page of memory with permissions
PROT_WRITE|PROT_EXEC
** on OpenBSD, this will cause the program to abort. On HardenedBSD or
NetBSD, you'll get a writable page of memory back
** If you get the page back, I put a bit of do-nothing shell code into
the
mapped buffer, then write a function pointer to it and attempt to execute
in
order to cause a page fault there and record the violation is caught
properly,
proving that I didn't get W|X memory
2. attempt to map a page of memory as writable then mprotect() to W|X.
With
PaX, the page stays writable. OpenBSD will abort the processes here
** I did share a version with Red Hat through technical community
channels,
which included proof via live shell code that even if you turn off
execmem
allocation in SELinux, that you get no protection around mprotect and can
still get a shell here.
3. Attempt to map a page of memory as executable and then mprotect() to
W|X.
Again, OpenBSD will abort this but PaX just gives you back what you had
originally

I may be able to share the tool, but it basically just does a subset of
what
is in the paxtest, geared directly at three sub-cases for one security
functional requirement which isn't even mandatory right now. However,
RedHat
didn't want to burn political capital with the Linux kernel devs pushing
for
it when OpenBSD didn't even turn it on. Now that they have, there may be
a
better case to be made in that regard.

-
W. Dean Freeman, CISSP, CSSLP, GCIH
Lead Security Engineer
Mobile: +1.8048158786
wdfree...@acumensecurity.net
http://www.acumensecurity.net

-Original Message-
From: Peter Janos [mailto:peterjan...@mail.com]
Sent: Tuesday, October 11, 2016 2:23 AM
To: W. Dean Freeman <wdfree...@acumensecurity.net>
Subject: Re: RE: OpenBSD PaX Test question

Only two question:

==

1) Increasing kern.stackgap_random=262144 to
kern.stackgap_random=16777216
increases the "14 quality bits" to "20 quality bits".

Stack randomization test (SEGMEXEC) : 20 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 20 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 20 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 20 quality bits (guessed

is this a wise thing to do? Does setting the kern.stackgap_random to
16777216
increases security?

==

2) Can we have the cc-memtest binary or source? Or it is not public.
http://blog.acumensecurity.net/revisiting-wx-with-openbsd-6-0/

==

Many Thanks!

> Sent: Monday, October 10, 2016 at 5:46 PM
> From: "W. Dean Freeman" <wdfree...@acumensecurity.net>
> To: "'Peter Janos'" <peterjan...@mail.com>
> Subject: RE: OpenBSD PaX Test question
>
> Sure, go ahead.
>
>
>
>
>
>
>
> From: Peter Janos [mailto:peterjan...@mail.com]
> Sent: Monday, October 10, 2016 11:46 AM
> To: W. Dean Freeman <wdfree...@acumensecurity.net>
> Subject: Re: OpenBSD PaX Test question
>
>
>
> can I post this as an anser on stackexchange?
>
> Thank you!
>
> Sent: Monday, October 10, 2016 at 4:36 PM
> From: "W. Dean Freeman" <wdfree...@acumensecurity.net
> <mailto:wdfree...@acumensecurity.net> >
> To: peterjan...@mail.com <mailto:peterj

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Peter Janos 
remote supervisor/console solutions are still turned on while the server
is off, so simply powering off the OS isn't enough.there were/will be
many bugs for these remote console solutions too Sent: Friday, October
14, 2016 at 9:48 PM
From: "Raul Miller" 
To: "thrph.i...@gmail.com" 
Cc: "OpenBSD general usage list" 
Subject: Re: What are the security features in OpenBSD 6.0 that are by
default disabled?On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
 wrote:
> " The only truly secure system is one that is powered off, cast in a
block of concrete and sealed in a lead-lined room with armed guards - and
even then I have my doubts. "

Powered off works surprisingly well for some other operating systems.

--
Raul

What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Peter Janos 
Hello,

I know some features that can give additional security isn't turned on due to
because of the bad quality of the code in ports and some also decreases
performance (or disables a feature, ex.: screenlock doesn't work if nosuid
set, but if feature not used, nousid can be used).

I only know about these "security hardenings", hopefully all are ok (if not,
please say/argue!):
 
==
ln -s GJU /etc/malloc.conf
==
Remove wxallowed from /etc/fstab
==
echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
==
Remove all SUID and SGID permissions and all FS must have "nosuid".
==
Add noexec, nodev where you can in fstab, but can be bypassed..
==
All filesystems that are only modified during software install and removal
need to be read-only.
They can be only rw if sw install/removal happens.
==
Remove all files that is not needed for the machine to operate/do its
purpose.
==
echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
==
Make as many files immutable with "chflags schg filenamehere" as you can.
==
If using X (so desktop) only use dangerous softwares (webbrowser, any viewer
software: pdf, video, audio, torrent client, etc.) with another (limited)
user!
==

The purpose of this mail to find more... what are the other security features
that are disabled in the default install?
 
-
ps.: it would be nice to have a feature in the default installer to install
with full disc encryption :) we still have to escape to shell during install
and ex.:

install60.iso
(S)hell
dmesg | grep MB # or: sysctl hw.disknames
dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
fdisk -iy sd0
disklabel -E sd0
a a
enter
enter
RAID
w
q
bioctl -c C -l /dev/sd0a -r 2000 softraid0
# use a random high iteration number x > 10 000 000
exit
Start install to the newly created bioctl/crypt raid device: sdX, where X is
ex.: 2...

with a random (but very high) number for iteration, afaik iteration only
counts when typing in the password, much higher iteration would slow down
brute-force attackers.
-

Many thanks.

New OpenSSL double-free and invalid free vulnerabilities in X509 parsing

2016-10-13 Thread Peter Janos 
Hello gods,

http://seclists.org/fulldisclosure/2016/Oct/62
->
https://github.com/guidovranken/openssl-x509-vulnerabilities
 
a little bit old, but LibreSSL got this?
 

The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.
Simplify and fix the logic.
Thanks to Guido Vranken for reporting this issue.
Reviewed-by: Matt Caswell 
(Merged from #1691)
 
Thanks!

Re: Fix paxtest output on OpenBSD 6.0?

2016-10-03 Thread Peter Janos 
 It went out twice, sorry. First I sent the below mail, but after even
hours it didn't showed up, I thought maybe length restriction, so I sent
the mail again without the below "RAW" part, with that it was displayed
in a few minutes. Whatever, the paxtest compares are here in a picture
too (mirror urls), more readable to the human eye:
https://s22.postimg.org/f169vbabl/paxtest_openbsd.pnghttps://i.imgsafe.org/22cb7604d4.pnghttps://lut.im/C3F0KIhF6O/GPjZ5bRQrTK8fLpg.png
Is W^X causing the "Vulnerable" lines? Is it still ok, because of "bad
test"? or is it really a security problem?? install60.iso
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect) : Vulnerable
Return to function (strcpy) : paxtest : return address contains a NULL
byte.
Return to function (strcpy, PIE) : paxtest : return address contains a
NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (memcpy, PIE) : Vulnerable Increasing
kern.stackgap_random=262144 to kern.stackgap_random=16777216 increases
the: Stack randomization test (SEGMEXEC) : 14 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 14 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 14 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 14 quality bits (guessed) "to 20
quality bits". Thanks! Sent: Sunday, October 02, 2016 at 12:12 PM
From: "Peter Janos" <peterjan...@mail.com>
To: misc@openbsd.org
Subject: Fix paxtest output on OpenBSD 6.0?Fix paxtest output on OpenBSD
6.0?

Hallo :)

Also I included a few other OS.

Mirror for the post is here:
https://pastebin.com/raw/y9qHwZxi

Tests are after a default/fresh install (not livecd), using
https://www.grsecurity.net/~spender/paxtest-0.9.15.tar.gz


All OS were installed/tested in VirtualBox-5.1.6_110634_el7-1.x86_64 on a
RHEL 7.2 / T450.



When I used 'paxtest-0.9.15' on OpenBSD, had to ADD two lines:

$ grep -n 'randarg1: randbody.o randarg1.o' Makefile.OpenBSD
157:randarg1: randbody.o randarg1.o
$ grep -n 'randarg2: randbody.o randarg2.o' Makefile.OpenBSD
159:randarg2: randbody.o randarg2.o
$

or else compile would fail, thx for the hint from Pinter Oliver!



On FreeBSD/HBSD I had to use paxtest-0.9.14-freebsd.tar compiled on FBSD9
from
https://github.com/HardenedBSD/tools/blob/master/tests/paxtest-freebsd/paxtest-0.9.14-freebsd.tgz



If anyone has outputs for NetBSD and DragonFlyBSD, please post.


Always used blackhat mode.

##
SUM (copy it to a simple editor, ex.: gedit, then from there to
LibreOffice Calc):

###
CentOS-7-x86_64-Everything-1511.txt Executable anonymous mapping Killed
debian-8.6.0-amd64-CD-1.txt Executable anonymous mapping Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable anonymous mapping Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txt Executable anonymous mapping
Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable anonymous mapping Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable anonymous mapping Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt Executable anonymous mapping Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable anonymous mapping
Killed
install60.txt Executable anonymous mapping Killed
linuxmint-18-cinnamon-64bit.txt Executable anonymous mapping Killed
openSUSE-Leap-42.1-DVD-x86_64.txt Executable anonymous mapping Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txt Executable anonymous mapping
Killed
ubuntu-16.04.1-desktop-amd64.txt Executable anonymous mapping Killed
ubuntu-16.04.1-server-amd64.txt Executable anonymous mapping Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable bss Killed
debian-8.6.0-amd64-CD-1.txt Executable bss Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable bss Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txt Executable bss Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable bss Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable bss Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt Executable bss Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable bss Killed
install60.txt Executable bss Killed
linuxmint-18-cinnamon-64bit.txt Executable bss Killed
openSUSE-Leap-42.1-DVD-x86_64.txt Executable bss Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txt Executable bss Killed
ubuntu-16.04.1-desktop-amd64.txt Executable bss Killed
ubuntu-16.04.1-server-amd64.txt Executable bss Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable data Killed
debian-8.6.0-amd64-CD-1.txt Executable data Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable data Killed
Fedora-Workstation-

Fix paxtest output on OpenBSD 6.0?

2016-10-02 Thread Peter Janos 
Fix paxtest output on OpenBSD 6.0?

Hallo :)

Also I included a few other OS.

Mirror for the post is here: 
https://pastebin.com/raw/y9qHwZxi

Tests are after a default/fresh install (not livecd), using 
https://www.grsecurity.net/~spender/paxtest-0.9.15.tar.gz


All OS were installed/tested in VirtualBox-5.1.6_110634_el7-1.x86_64 on a RHEL 
7.2 / T450.



When I used 'paxtest-0.9.15' on OpenBSD, had to ADD two lines: 

$ grep -n 'randarg1: randbody.o randarg1.o' Makefile.OpenBSD
157:randarg1: randbody.o randarg1.o
$ grep -n 'randarg2: randbody.o randarg2.o' Makefile.OpenBSD
159:randarg2: randbody.o randarg2.o
$ 

or else compile would fail, thx for the hint from Pinter Oliver!



On FreeBSD/HBSD I had to use paxtest-0.9.14-freebsd.tar compiled on FBSD9 from 
https://github.com/HardenedBSD/tools/blob/master/tests/paxtest-freebsd/paxtest-0.9.14-freebsd.tgz



If anyone has outputs for NetBSD and DragonFlyBSD, please post. 


Always used blackhat mode. 

##
SUM (copy it to a simple editor, ex.: gedit, then from there to LibreOffice 
Calc): 

###
CentOS-7-x86_64-Everything-1511.txt Executable anonymous mappingKilled
debian-8.6.0-amd64-CD-1.txt Executable anonymous mappingKilled
Fedora-Server-dvd-x86_64-24-1.2.txt Executable anonymous mappingKilled
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable anonymous mapping
Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable anonymous mappingKilled
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable anonymous mapping
Killed
install60.txt   Executable anonymous mappingKilled
linuxmint-18-cinnamon-64bit.txt Executable anonymous mappingKilled
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable anonymous mappingKilled
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable anonymous mapping
Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable anonymous mappingKilled
ubuntu-16.04.1-server-amd64.txt Executable anonymous mappingKilled
###
CentOS-7-x86_64-Everything-1511.txt Executable bss  Killed
debian-8.6.0-amd64-CD-1.txt Executable bss  Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable bss  Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable bss  Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable bss  Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable bss  Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable bss  Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable bss  Killed
install60.txt   Executable bss  Killed
linuxmint-18-cinnamon-64bit.txt Executable bss  Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable bss  Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable bss  Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable bss  Killed
ubuntu-16.04.1-server-amd64.txt Executable bss  Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable data Killed
debian-8.6.0-amd64-CD-1.txt Executable data Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable data Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable data Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable data Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable data Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable data Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable data Killed
install60.txt   Executable data Killed
linuxmint-18-cinnamon-64bit.txt Executable data Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable data Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable data Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable data Killed
ubuntu-16.04.1-server-amd64.txt Executable data Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable heap Killed
debian-8.6.0-amd64-CD-1.txt Executable heap Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable heap Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable heap Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable heap Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable heap Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable heap Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable heap Killed
install60.txt   Executable heap Killed
linuxmint-18-cinnamon-64bit.txt Executable heap Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable heap Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable heap Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable heap Killed

Fix paxtest output on OpenBSD 6.0?

2016-10-02 Thread Peter Janos 
Hallo :)

Also I included a few other OS. Mirror for the post: 
https://pastebin.com/raw/y9qHwZxi

Tests are after a default/fresh install (not livecd), using 
https://www.grsecurity.net/~spender/paxtest-0.9.15.tar.gz


All OS were installed/tested in VirtualBox-5.1.6_110634_el7-1.x86_64 on a RHEL 
7.2 / T450.



When I used 'paxtest-0.9.15' on OpenBSD, had to ADD two lines: 

$ grep -n 'randarg1: randbody.o randarg1.o' Makefile.OpenBSD
157:randarg1: randbody.o randarg1.o
$ grep -n 'randarg2: randbody.o randarg2.o' Makefile.OpenBSD
159:randarg2: randbody.o randarg2.o
$ 

or else compile would fail, thx for the hint from Pinter Oliver!



On FreeBSD/HBSD I had to use paxtest-0.9.14-freebsd.tar compiled on FBSD9 from 
https://github.com/HardenedBSD/tools/blob/master/tests/paxtest-freebsd/paxtest-0.9.14-freebsd.tgz



If anyone has outputs for NetBSD and DragonFlyBSD, please post. 


Always used blackhat mode. 

##
SUM (copy it to a simple editor, ex.: gedit, then from there to LibreOffice 
Calc): 

###
CentOS-7-x86_64-Everything-1511.txt Executable anonymous mappingKilled
debian-8.6.0-amd64-CD-1.txt Executable anonymous mappingKilled
Fedora-Server-dvd-x86_64-24-1.2.txt Executable anonymous mappingKilled
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable anonymous mapping
Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable anonymous mappingKilled
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable anonymous mapping
Killed
install60.txt   Executable anonymous mappingKilled
linuxmint-18-cinnamon-64bit.txt Executable anonymous mappingKilled
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable anonymous mappingKilled
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable anonymous mapping
Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable anonymous mappingKilled
ubuntu-16.04.1-server-amd64.txt Executable anonymous mappingKilled
###
CentOS-7-x86_64-Everything-1511.txt Executable bss  Killed
debian-8.6.0-amd64-CD-1.txt Executable bss  Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable bss  Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable bss  Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable bss  Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable bss  Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable bss  Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable bss  Killed
install60.txt   Executable bss  Killed
linuxmint-18-cinnamon-64bit.txt Executable bss  Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable bss  Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable bss  Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable bss  Killed
ubuntu-16.04.1-server-amd64.txt Executable bss  Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable data Killed
debian-8.6.0-amd64-CD-1.txt Executable data Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable data Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable data Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable data Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable data Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable data Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable data Killed
install60.txt   Executable data Killed
linuxmint-18-cinnamon-64bit.txt Executable data Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable data Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable data Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable data Killed
ubuntu-16.04.1-server-amd64.txt Executable data Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable heap Killed
debian-8.6.0-amd64-CD-1.txt Executable heap Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable heap Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable heap Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable heap Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable heap Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable heap Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable heap Killed
install60.txt   Executable heap Killed
linuxmint-18-cinnamon-64bit.txt Executable heap Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable heap Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable heap Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable heap Killed
ubuntu-16.04.1-server-amd64.txt Executable heap Killed