From owner-freebsd-security  Sun Oct 28  6: 8:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 6FB4B37B408
	for <freebsd-security@FreeBSD.ORG>; Sun, 28 Oct 2001 06:08:31 -0800 (PST)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id 1CB721DA7; Sun, 28 Oct 2001 15:08:30 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id C9E28559F; Sun, 28 Oct 2001 15:08:30 +0100 (CET)
Date: Sun, 28 Oct 2001 15:08:30 +0100 (CET)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: Yuri Muhitov <muhitov@kostasoft.spb.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: BUFFER OVERFLOW EXPLOITS
In-Reply-To: <2E8E747BA4D4994CB49D56AF57F1728208B295@adv.KOSTASOFT.kostasoft.spb.ru>
Message-ID: <Pine.BSF.4.21.0110281500030.6086-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 28 Oct 2001, Yuri Muhitov wrote:

> Hi!
> 
> How does 'buffer overflow' exploit works in details?
> How can attacker execute arbitrary code on attacked machine?
> What about 'stack overflow' and 'changing return address' in procedure call?
See Aleph1's "Smashing the stack for fun and profit", Phrack 49. Explains
problem and exploitation techniques. 

> Is this programming, compiler or compiling options error?
> How to avoid this problem on practice (writing programs)?
This is programmer's error. Most commonly, it occurs when someone copies 
data to a statically allocated buffer without boundary checking. Say you
allocated char[1024] and you program allows user to write more data to
this buffer. Extra user input lands in the memory area after the buffer,
what may produce interesting results. 

Look for papers on "secure programming". IIRC there's a section in FreeBSD
handbook and Linux Secure Programming HOWTO. This papers deal also with
other programming issues (i.e. insecure /tmp file permissions) that may be 
exploitable. 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message