From owner-freebsd-chat Wed Dec 8 14:35:25 1999 Delivered-To: freebsd-chat@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 74AE414A25; Wed, 8 Dec 1999 14:35:19 -0800 (PST) (envelope-from bright@wintelcom.net) Received: from localhost (bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) with ESMTP id PAA20580; Wed, 8 Dec 1999 15:03:28 -0800 (PST) Date: Wed, 8 Dec 1999 15:03:28 -0800 (PST) From: Alfred Perlstein To: Roelof Osinga Cc: Jonathon McKitrick , Kris Kennaway , freebsd-chat Subject: Re: Yahoo hacked last night In-Reply-To: <384ED9C2.348253DC@nisser.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Dec 1999, Roelof Osinga wrote: > Alfred Perlstein wrote: > > > > For a function to be able to return to its caller it must store the > > return address on the stack, what a buffer overflow generally does > > is overwrite that return address with a pointer to some more data > > on the stack which is actually machine instructions to exec a shell. > > How? Wouldn't it be a tremendous happenstance if the buffer that > overflows actually just happens to be where the stack is? It's common in C where automatic variables are allocated on the stack. > If you > overflow a buffer you write bytes into dataspace where, in a > protected environment, it won't get executed. Not if it's on the stack. > No matter what you > push onto the return stack. Worse, the i386 has several exceptions > it can raise to signal stack over- and underflows so the stack could > be a fairly well controlled environment. Actually, the same can be > done for data space segments as well. Thereby preventing buffer > overflows from overflowing into code space. The problem is that memory protection can really only be done in page-sized chunks. > Maybe if you had aliassed segments to allow access by anything to > anything you could do this easily. But otherwise? The stack is executable, check the mailing lists for "trampoline" this hasn't come up in almost a year. > Well... easily? Bit of an understatement . Not only do you need > the right bytes at the right time, you also need the right buffer to > overflow so the right bytes get put at the right place. Would still > be a neat trick. It's not difficult if you have the source or a lot of time on your hands. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message