From owner-freebsd-security  Sun Jul 19 14:49:32 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA27714
          for freebsd-security-outgoing; Sun, 19 Jul 1998 14:49:32 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts05-119.dublin.indigo.ie [194.125.220.129])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27695
          for <security@FreeBSD.ORG>; Sun, 19 Jul 1998 14:49:28 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id WAA00967;
	Sun, 19 Jul 1998 22:43:59 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199807192143.WAA00967@indigo.ie>
Date: Sun, 19 Jul 1998 22:43:58 +0000
In-Reply-To: <199807192047.OAA02264@lariat.lariat.org>; Brett Glass <brett@lariat.org>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 19,  2:47pm, Brett Glass wrote:
} Subject: The 99,999-bug question: Why can you execute from the stack?
> We're going to be spending about a man-month rebuilding a complex system
> that was hacked due to a buffer overflow exploit. Looking back at our
> system log files, I can see exactly how the hack was done and how the
> perpetrator was able to get root.
> 
> What I CAN'T understand is why FreeBSD allows the hack to occur. Why on
> Earth would one want to allow code to be executed from the stack? The Intel
> segmentation model normally prevents this, and there's additional hardware
> in the MMU that's supposed to be able to preclude it. Why does the OS leave
> this gigantic hole open? Why not just close it?

Making the stack non executable doesn't stop buffer overflow attacks;
see www.geek-girl.com/bugtraq/ for more information.  Its still
useful for stopping script monkeys though so I ordered a set of
intel manuals with the idea of doing this but I haven't got around
to it yet, maybe soon.

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message