From owner-freebsd-security Mon Feb 10 03:58:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA27631 for security-outgoing; Mon, 10 Feb 1997 03:58:55 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id DAA27625 for ; Mon, 10 Feb 1997 03:58:51 -0800 (PST) From: tqbf@enteract.com Received: (qmail 27808 invoked by uid 1001); 10 Feb 1997 11:59:41 -0000 Date: 10 Feb 1997 11:59:41 -0000 Message-ID: <19970210115941.27807.qmail@char-star.rdist.org> To: dufault@hda.com, freebsd-security@freebsd.org Subject: Re: buffer overruns In-Reply-To: <199702100954.EAA08773@hda.hda.com> Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <199702100954.EAA08773@hda.hda.com>, you wrote: >Is the stack executable? I've been assuming the exploits modify Yes. >the stack to return to a built up call to "system" or something system() is a library routine that decays to an execve() (which is a system call) of /bin/sh with arguments indicating the command line to be run. There's no guarantee that system() will even be accessible from any given program, let alone that it'll be at some fixed address. System calls are always accessed the same way (on FreeBSD, either lcall(7,0) or int 80h). >else in the library with their own args setup. I've been assuming >that executing data isn't part of modern exploits. You're assuming that the exploits overwrite the return address to point to system("/bin/sh"), and some how manipulate the stack to have the correct arguments. They don't. Stack ovverun exploits overwrite the return address to point to some region of memory (usually the stack) that the attacker has control over; the attacker ensures that that area of memory contains executable opcodes that will do what the attacker wants (usually execve()'ing a shell). >Has anyone seen modifications to gcc to generate guard bands around >automatics and stack check sequences? The automatics can be checked On SunOS, yep. It broke alot of things we tried compiling. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));