From owner-freebsd-security Sun Feb 9 13:27:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA10116 for security-outgoing; Sun, 9 Feb 1997 13:27:12 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA10109 for ; Sun, 9 Feb 1997 13:27:09 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.7.3) with UUCP id OAA18887 for freebsd-security@FreeBSD.org; Sun, 9 Feb 1997 14:27:02 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id OAA12390 for ; Sun, 9 Feb 1997 14:26:32 -0700 (MST) Date: Sun, 9 Feb 1997 14:26:31 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: freebsd-security@FreeBSD.org Subject: Re: buffer overruns In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 9 Feb 1997, Brian Tao wrote: > On Sun, 9 Feb 1997, Richard Holland wrote: > > > > So the set locale bug is this only put differently. It allocates X > > amount of bytes for the buffer, and people put to much junk into it, > > causing it to step into other memory addresses. > > Essentially, yes. Specifically, you can overrun the allocated > amount of memory so that it clobbers the return address from the > function (i.e., where the next piece of code is found once your > function returns) and points it to a new piece of code you just > inserted with the overflow data. While that is currently one of the most popular methods of exploiting overflows, it is important to remember that is _not_ the only method; there are many, many others. This is the reason why it is so difficult for people who fix them to say "yes, this is a big hole" or "no, you don't have to worry about this. If and how it can be exploited depends on many things, including architecture, compiler, optimization, etc. Some, like the problem with man in the -current tree a while ago, almost certainly could be exploited and you could gain root if root ever used man. It wasn't in any release, so I didn't make a big deal about it but just got it fixed. Other problems would take hours of analysis before you could be confident that there is absolutely no way to exploit it. For anyone unfamiliar with the basic concepts, consider the following code: int main (int argc, char *argv[]) { int give_root_shell=0; char t[1]; strcpy(t, argv[1]); if (give_root_shell) system("/bin/sh"); return 0; } Compile it without any optimization, then run it with a command line argument of 'x'. (eg. "./a.out x"). Then run it with a command line argument of 'xx'. The first shouldn't give you a shell, the second often will. Then compile it with -O. Now you will likely not be able to get a 'xx' because the compiler may well optimize out give_root_shell entirely. Note that very few buffer overflows are as trivial as this, but if you play around with it a bit you can quickly see how complex it can be to figure out.