From owner-freebsd-security  Wed Jul 22 07:54:26 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA14893
          for freebsd-security-outgoing; Wed, 22 Jul 1998 07:54:26 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14879
          for <security@FreeBSD.ORG>; Wed, 22 Jul 1998 07:54:20 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id IAA03997;
	Wed, 22 Jul 1998 08:53:52 -0600 (MDT)
Message-Id: <199807221453.IAA03997@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Wed, 22 Jul 1998 08:53:47 -0600
To: ben@rosengart.com
From: Brett Glass <brett@lariat.org>
Subject: Re: hacked and don't know why
Cc: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net,
        security@FreeBSD.ORG
In-Reply-To: <Pine.GSO.4.00.9807220227001.4886-100000@echonyc.com>
References: <199807220613.AAA26581@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In that case, we have an as-yet-diagnosed bug in the system. We
really experienced disk corruption -- especially of directories --
during the QPopper buffer overflow hack. Files got the wrong
owners and permissions; bitmaps were set wrong; the works. Every file
that was touched between the exploit and the next reboot was subject 
to these problems.

It's a good argument for stack protection.

--Brett


At 02:28 AM 7/22/98 -0400, Snob Art Genre wrote:
 
>On Wed, 22 Jul 1998, Brett Glass wrote:
>
>> The symptoms aren't hard to understand. As I found out when we
>> were hit by the same hack, buffer overflow exploits also
>> hose memory.... The disk cache, kernel data, possibly even page tables
>> can be corrupted. Nothing's safe. If you do anything to your file
>> system before rebooting, you can wind up with corrupted directories
>> and worse. This happened to us.
>
>This doesn't sound correct.  Buffer overflows can give you unauthorized
>access to user memory, but shouldn't give you access to kernel memory at
>all.  Otherwise running "crashme" as root would have more effect than it
>does (none).
>
>
> Ben
>
>"You have your mind on computers, it seems." 
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message