# Paxtest results, how to stop "return-to-libc" attack?

## YumeWizard

I decided to put Gentoo-Hardened on my Router a week or so ago and during my testing I took note of the paxtest results which seemed to indicate a security issue.

Paxtest Command Results:

```
kagami deus # paxtest blackhat

PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>

Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log

It may take a while for the tests to complete

Test results:

PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>

Released under the GNU Public Licence version 2 or later

Mode: blackhat

Linux kagami 4.5.7-hardened-r2 #5 SMP Fri Jun 24 18:01:32 EDT 2016 x86_64 Pentium(R) Dual-Core CPU E6700 @ 3.20GHz GenuineIntel GNU/Linux

Executable anonymous mapping             : Killed

Executable bss                           : Killed

Executable data                          : Killed

Executable heap                          : Killed

Executable stack                         : Killed

Executable shared library bss            : Killed

Executable shared library data           : Killed

Executable anonymous mapping (mprotect)  : Killed

Executable bss (mprotect)                : Killed

Executable data (mprotect)               : Killed

Executable heap (mprotect)               : Killed

Executable stack (mprotect)              : Killed

Executable shared library bss (mprotect) : Killed

Executable shared library data (mprotect): Killed

Writable text segments                   : Killed

Anonymous mapping randomization test     : 28 quality bits (guessed)

Heap randomization test (ET_EXEC)        : 35 quality bits (guessed)

Heap randomization test (PIE)            : 35 quality bits (guessed)

Main executable randomization (ET_EXEC)  : 28 quality bits (guessed)

Main executable randomization (PIE)      : 28 quality bits (guessed)

Shared library randomization test        : 28 quality bits (guessed)

VDSO randomization test                  : 28 quality bits (guessed)

Stack randomization test (SEGMEXEC)      : 35 quality bits (guessed)

Stack randomization test (PAGEEXEC)      : 35 quality bits (guessed)

Arg/env randomization test (SEGMEXEC)    : 39 quality bits (guessed)

Arg/env randomization test (PAGEEXEC)    : 39 quality bits (guessed)

Randomization under memory exhaustion @~0: 28 bits (guessed)

Randomization under memory exhaustion @0 : 28 bits (guessed)

Return to function (strcpy)              : paxtest: return address contains a NULL byte.

Return to function (memcpy)              : Vulnerable

Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.

Return to function (memcpy, PIE)         : Vulnerable

```

I began to research the problem and found some confusing results:

01. https://forums.gentoo.org/viewtopic-t-936916-highlight-paxtest.html (Same issue, no responses)

02. https://forums.gentoo.org/viewtopic-t-852507-highlight-paxtest.html (Same issue, responses suggest that these results are normal)

03. https://forums.gentoo.org/viewtopic-t-816199-highlight-paxtest.html (Similar issue, responder posts his own paxtest results which do not have my issue)

04. https://forums.grsecurity.net/viewtopic.php?t=1420&highlight=strcpy (Same issue, responder concludes the tests are meant to fail and there is little you can do to stop such an attack)

So I'm left wondering what can I do to get the added protection that the user in my 3rd example seems to have?

Emerge --info:

```
kagami deus # emerge --info

Portage 2.3.0_rc1 (python 3.4.4-final-0, hardened/linux/amd64, gcc-5.4.0, glibc-2.23-r2, 4.5.7-hardened-r2 x86_64)

=================================================================

System uname: Linux-4.5.7-hardened-r2-x86_64-Pentium-R-_Dual-Core_CPU_E6700_@_3.20GHz-with-gentoo-2.2

KiB Mem:     3036916 total,   2618148 free

KiB Swap:    8388604 total,   8388604 free

Timestamp of repository gentoo: Fri, 17 Jun 2016 12:30:02 +0000

sh bash 4.3_p42-r2

ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1

app-shells/bash:          4.3_p42-r2::gentoo

dev-lang/perl:            5.24.0-r1::gentoo

dev-lang/python:          2.7.11-r2::gentoo, 3.4.4::gentoo

dev-util/pkgconfig:       0.29.1::gentoo

sys-apps/baselayout:      2.2::gentoo

sys-apps/openrc:          0.21::gentoo

sys-apps/sandbox:         2.10-r2::gentoo

sys-devel/autoconf:       2.69-r2::gentoo

sys-devel/automake:       1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo

sys-devel/binutils:       2.25.1-r1::gentoo

sys-devel/gcc:            5.4.0::gentoo

sys-devel/gcc-config:     1.8-r1::gentoo

sys-devel/libtool:        2.4.6-r2::gentoo

sys-devel/make:           4.2.1::gentoo

sys-kernel/linux-headers: 4.6::gentoo (virtual/os-headers)

sys-libs/glibc:           2.23-r2::gentoo

Repositories:

gentoo

    location: /usr/portage

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

ACCEPT_KEYWORDS="amd64 ~amd64"

ACCEPT_LICENSE="*"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=native -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=native -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="https://lug.mtu.edu/gentoo/"

LANG="en_US.utf8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="acl amd64 berkdb bzip2 cli conntrack cracklib crypt cryptsetup cxx device-mapper dri gdbm hardened iconv ipv6 justify libressl mmx mmxext modules multilib ncurses nls nptl openmp pam pax_kernel pcre pie readline seccomp session sse sse2 ssl ssp tcpd unicode urandom xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers

include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface

irq load memory rrdtool swap syslog" CPU_FLAGS_X86="fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dtherm tpr_shadow vnmi flexpriority" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en us" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
```

Kernel .config Security options:

```
#

# Security options

#

#

# Grsecurity

#

CONFIG_PAX_KERNEXEC_PLUGIN=y

CONFIG_PAX_PER_CPU_PGD=y

CONFIG_TASK_SIZE_MAX_SHIFT=42

CONFIG_PAX_USERCOPY_SLABS=y

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_CONFIG_AUTO is not set

CONFIG_GRKERNSEC_CONFIG_CUSTOM=y

#

# Customize Configuration

#

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_XATTR_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_MPROTECT_COMPAT is not set

CONFIG_PAX_ELFRELOCS=y

CONFIG_PAX_KERNEXEC=y

# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set

CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y

CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

#

# Miscellaneous hardening features

#

CONFIG_PAX_MEMORY_SANITIZE=y

CONFIG_PAX_MEMORY_STACKLEAK=y

CONFIG_PAX_MEMORY_STRUCTLEAK=y

CONFIG_PAX_MEMORY_UDEREF=y

CONFIG_PAX_REFCOUNT=y

CONFIG_PAX_CONSTIFY_PLUGIN=y

CONFIG_PAX_USERCOPY=y

# CONFIG_PAX_USERCOPY_DEBUG is not set

CONFIG_PAX_SIZE_OVERFLOW=y

CONFIG_PAX_LATENT_ENTROPY=y

CONFIG_PAX_RAP=y

#

# Memory Protections

#

CONFIG_GRKERNSEC_KMEM=y

CONFIG_GRKERNSEC_IO=y

CONFIG_GRKERNSEC_BPF_HARDEN=y

CONFIG_GRKERNSEC_PERF_HARDEN=y

CONFIG_GRKERNSEC_RAND_THREADSTACK=y

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_KSTACKOVERFLOW=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_HIDESYM=y

CONFIG_GRKERNSEC_RANDSTRUCT=y

# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set

CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#

# Role Based Access Control Options

#

CONFIG_GRKERNSEC_NO_RBAC=y

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

CONFIG_GRKERNSEC_PROC_USER=y

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

# CONFIG_GRKERNSEC_SYMLINKOWN is not set

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_SYSFS_RESTRICT=y

# CONFIG_GRKERNSEC_ROFS is not set

CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_RENAME=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

# CONFIG_GRKERNSEC_CHROOT_INITRD is not set

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

# CONFIG_GRKERNSEC_EXECLOG is not set

# CONFIG_GRKERNSEC_RESLOG is not set

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

# CONFIG_GRKERNSEC_SIGNAL is not set

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_RWXMAP_LOG is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_HARDEN_PTRACE=y

CONFIG_GRKERNSEC_PTRACE_READEXEC=y

CONFIG_GRKERNSEC_SETXID=y

CONFIG_GRKERNSEC_HARDEN_IPC=y

CONFIG_GRKERNSEC_HARDEN_TTY=y

# CONFIG_GRKERNSEC_TPE is not set

#

# Network Protections

#

CONFIG_GRKERNSEC_BLACKHOLE=y

CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Physical Protections

#

# CONFIG_GRKERNSEC_DENYUSB is not set

#

# Sysctl Support

#

# CONFIG_GRKERNSEC_SYSCTL is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=6

CONFIG_KEYS=y

# CONFIG_PERSISTENT_KEYRINGS is not set

# CONFIG_BIG_KEYS is not set

# CONFIG_ENCRYPTED_KEYS is not set

# CONFIG_SECURITY_DMESG_RESTRICT is not set

CONFIG_SECURITY=y

# CONFIG_SECURITYFS is not set

CONFIG_SECURITY_NETWORK=y

# CONFIG_SECURITY_NETWORK_XFRM is not set

# CONFIG_SECURITY_PATH is not set

# CONFIG_SECURITY_SELINUX is not set

# CONFIG_SECURITY_SMACK is not set

# CONFIG_SECURITY_TOMOYO is not set

# CONFIG_SECURITY_APPARMOR is not set

CONFIG_INTEGRITY=y

# CONFIG_INTEGRITY_SIGNATURE is not set

CONFIG_INTEGRITY_AUDIT=y

# CONFIG_IMA is not set

# CONFIG_EVM is not set

CONFIG_DEFAULT_SECURITY_DAC=y

CONFIG_DEFAULT_SECURITY=""

CONFIG_CRYPTO=y
```

----------

## chithanh

There is an older blog post where the return-to-function check is explained and why it usually gives "vulnerable" as result. You may want to check it out:

https://labs.mwrinfosecurity.com/blog/assessing-the-tux-strength-part-2-into-the-kernel

----------

## YumeWizard

 *chithanh wrote:*   

> There is an older blog post where the return-to-function check is explained and why it usually gives "vulnerable" as result. You may want to check it out:
> 
> https://labs.mwrinfosecurity.com/blog/assessing-the-tux-strength-part-2-into-the-kernel

 

From the article:

As can be observed from the results above, all of the distributions were vulnerable to ‘return-to-function’ classes of attack. These attacks involve an attacker calling legitimately loaded functions (or pieces of code) in order to achieve their goal. This is an extremely difficult attack scenario to protect against (as programs need to call their own functions, including those included in other libraries) and at the moment there’s no “on or off” protection against them. The highest protection can be achieved using a high level of randomisation, which would require a 64 bit address space rather than 32 bit. According to this article a 32 bit address space would allow an attacker to bruteforce the location of certain memory regions thus providing them with a greater chance of successful exploitation.

Thank you for showing me this, I'm glad to have such a good explanation included in this thread for any people searching this in the future. What I still don't understand though is what the person in my 3rd example has done to their system to achieve different results.

----------

