Date: Wed, 22 Jul 1998 08:53:47 -0600 From: Brett Glass <brett@lariat.org> To: ben@rosengart.com Cc: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <199807221453.IAA03997@lariat.lariat.org> In-Reply-To: <Pine.GSO.4.00.9807220227001.4886-100000@echonyc.com> References: <199807220613.AAA26581@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In that case, we have an as-yet-diagnosed bug in the system. We really experienced disk corruption -- especially of directories -- during the QPopper buffer overflow hack. Files got the wrong owners and permissions; bitmaps were set wrong; the works. Every file that was touched between the exploit and the next reboot was subject to these problems. It's a good argument for stack protection. --Brett At 02:28 AM 7/22/98 -0400, Snob Art Genre wrote: >On Wed, 22 Jul 1998, Brett Glass wrote: > >> The symptoms aren't hard to understand. As I found out when we >> were hit by the same hack, buffer overflow exploits also >> hose memory.... The disk cache, kernel data, possibly even page tables >> can be corrupted. Nothing's safe. If you do anything to your file >> system before rebooting, you can wind up with corrupted directories >> and worse. This happened to us. > >This doesn't sound correct. Buffer overflows can give you unauthorized >access to user memory, but shouldn't give you access to kernel memory at >all. Otherwise running "crashme" as root would have more effect than it >does (none). > > > Ben > >"You have your mind on computers, it seems." > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807221453.IAA03997>