Date: Sun, 9 Feb 1997 14:26:31 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: freebsd-security@FreeBSD.org Subject: Re: buffer overruns Message-ID: <Pine.BSF.3.95.970209140207.11077I-100000@alive.ampr.ab.ca> In-Reply-To: <Pine.BSF.3.95.970209150710.18300A-100000@alpha.risc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 9 Feb 1997, Brian Tao wrote:
> On Sun, 9 Feb 1997, Richard Holland wrote:
> >
> > So the set locale bug is this only put differently. It allocates X
> > amount of bytes for the buffer, and people put to much junk into it,
> > causing it to step into other memory addresses.
>
> Essentially, yes. Specifically, you can overrun the allocated
> amount of memory so that it clobbers the return address from the
> function (i.e., where the next piece of code is found once your
> function returns) and points it to a new piece of code you just
> inserted with the overflow data.
While that is currently one of the most popular methods of exploiting
overflows, it is important to remember that is _not_ the only method;
there are many, many others. This is the reason why it is so difficult
for people who fix them to say "yes, this is a big hole" or "no, you don't
have to worry about this. If and how it can be exploited depends on many
things, including architecture, compiler, optimization, etc. Some, like
the problem with man in the -current tree a while ago, almost certainly
could be exploited and you could gain root if root ever used man. It
wasn't in any release, so I didn't make a big deal about it but just got
it fixed. Other problems would take hours of analysis before you could be
confident that there is absolutely no way to exploit it.
For anyone unfamiliar with the basic concepts, consider the following
code:
int main (int argc, char *argv[]) {
int give_root_shell=0;
char t[1];
strcpy(t, argv[1]);
if (give_root_shell) system("/bin/sh");
return 0;
}
Compile it without any optimization, then run it with a command line
argument of 'x'. (eg. "./a.out x"). Then run it with a command line
argument of 'xx'. The first shouldn't give you a shell, the second often
will. Then compile it with -O. Now you will likely not be able to get a
'xx' because the compiler may well optimize out give_root_shell entirely.
Note that very few buffer overflows are as trivial as this, but if you
play around with it a bit you can quickly see how complex it can be to
figure out.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970209140207.11077I-100000>