From owner-freebsd-security  Sun Feb  9 15:27:25 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id PAA17337
          for security-outgoing; Sun, 9 Feb 1997 15:27:25 -0800 (PST)
Received: from kirk.edmweb.com (kirk.edmweb.com [204.244.190.1])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA17332
          for <freebsd-security@FreeBSD.org>; Sun, 9 Feb 1997 15:27:22 -0800 (PST)
Received: from bitbucket (bitbucket.edmweb.com [204.244.190.9]) by kirk.edmweb.com (8.8.5/8.7.3) with ESMTP id PAA16790; Sun, 9 Feb 1997 15:27:15 -0800 (PST)
Received: from localhost by bitbucket
	 with smtp id m0vtieT-000CGkC
	(Debian Smail-3.2 1996-Jul-4 #2); Sun, 9 Feb 1997 15:27:17 -0800 (PST)
Date: Sun, 9 Feb 1997 15:27:14 -0800 (PST)
From: Steve Reid <steve@edmweb.com>
X-Sender: steve@bitbucket
Reply-To: Steve Reid <steve@edmweb.com>
To: Marc Slemko <marcs@znep.com>
cc: freebsd-security@FreeBSD.org
Subject: Re: buffer overruns
In-Reply-To: <Pine.BSF.3.95.970209140207.11077I-100000@alive.ampr.ab.ca>
Message-ID: <Pine.LNX.3.95.970209144712.808A-100000@bitbucket>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> > [snip] points it to a new piece of code you just inserted with the
> > overflow data.
> While that is currently one of the most popular methods of exploiting
> overflows, it is important to remember that is _not_ the only method;

IIRC, the RTM internet worm exploited an overflow in fingerd by
overwriting the filename string for the local finger program with
"/bin/sh", which caused it to execute a shell instead of a regular
finger. No return address manipulation was required.