Date: Mon, 17 Feb 1997 23:43:05 -0800 From: obrien@NUXI.com (David O'Brien) To: cmott@srv.net (Charles Mott) Cc: freebsd-chat@freebsd.org Subject: Re: Countering stack overflow Message-ID: <19970217234305.NF08438@dragon.nuxi.com> In-Reply-To: <Pine.BSF.3.91.970217204736.3518C-100000@darkstar>; from Charles Mott on Feb 17, 1997 21:10:17 -0700 References: <199702180343.TAA03412@root.com> <Pine.BSF.3.91.970217204736.3518C-100000@darkstar>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Mott writes:
> The whole point of the stack overflow attack, as it has been explained to
...
> I am mainly interested in this vulnerability since it seems to allow an
> outsider to waltz into your machine and gain root privilege immediately.
> It seems to be much more serious than the other security problems.
Not so. It is just the vulnerability of the quarter (I'm a grad
student). Over the summer, I was seeing tons of symlink vulnerabilities.
My favorate "get root" exploit is the /bin/mail race on SunOS and Ultrix.
Works beautifully. My favorate sendmail bug, was when the "debug" array
indexes weren't checked and you could write outside the "debug" array to
replace "/etc/sendmail.cf" with "/tmp/sendmail.cf". Thus running your
own sendmail.cf file in trusted mode (ie. didn't drop permissions like it
usually does if you provide it with a non-default sendmail.cf file).
So what I'm trying to say, is stack overflow attacks are not the most
serious. They are all equally serious. And many other vulnerabilities
are easier to expliot than the stack overflow vulnerability.
> I agree that going to strncpy's is a good idea, I am just personally
> curious about adding an extra layer of security.
^^^^^^^^
obscurity
--
-- David (obrien@NUXI.com -or- obrien@FreeBSD.org)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970217234305.NF08438>