Date: Tue, 12 Sep 2000 01:11:06 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000912011105.A40182@nagual.pp.ru> In-Reply-To: <20000911224221.A14920@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Mon, Sep 11, 2000 at 10:42:21PM %2B0200 References: <20000911224221.A14920@petra.hos.u-szeged.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
> As far as there is no way to construct a string containing more 0x0's in > standard C, we can profit from a feature (bug?) in the passing of > environment variables by execve function. execve() will pass empty env > strings (pointers to zeros, _not_ NULL pointers) AS IS, so passing e.g. > environ[a] = empty, environ[a] = empty will lead to two 0x0#s pushed > somewhere onto the stack... With this feature we can construct an array > of arbitrary data on the bottom of the called programm's stack. If this > array can be reached from a fmt-vulnerable function, we can write to ANY > VMA address including also the .data section of a BSD process. Obviously this bug is too general and not related to screen only. It seems we need to fix execve() to prevent this. -- Andrey A. Chernov <ache@nagual.pp.ru> http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000912011105.A40182>