From owner-freebsd-chat  Sun Feb 16 22:29:59 1997
Return-Path: <owner-chat>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id WAA27064
          for chat-outgoing; Sun, 16 Feb 1997 22:29:59 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA27055
          for <freebsd-chat@FreeBSD.ORG>; Sun, 16 Feb 1997 22:29:52 -0800 (PST)
Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id QAA08745; Mon, 17 Feb 1997 16:59:38 +1030 (CST)
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199702170629.QAA08745@genesis.atrad.adelaide.edu.au>
Subject: Re: Countering stack overflow
In-Reply-To: <199702170607.QAA08532@genesis.atrad.adelaide.edu.au> from Michael Smith at "Feb 17, 97 04:37:50 pm"
To: msmith@atrad.adelaide.edu.au (Michael Smith)
Date: Mon, 17 Feb 1997 16:59:37 +1030 (CST)
Cc: cmott@srv.net, msmith@atrad.adelaide.edu.au, freebsd-chat@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-chat@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Michael Smith stands accused of saying:
> Charles Mott stands accused of saying:
> > 
> > The only mechanism I have seen for an intruder to gain control of the
> > executable stream is to rewrite a return address on the stack.  I don't
> > see how an overflow of a malloc()'ed buffer can allow someone to gain
> > control of your machine.
> 
> Think "change the behaviour of a function by altering its local
> variables".  

I should have pointed out here that munging values on the heap is also
quite rewarding.  Try spewing "///////////////////.../path/filename" over
the heap on an application that you know writes a private logfile and keeps
the path to said logfile on the heap.

If you can provide bogus input that gets logged as part of the
message, you may even be able to control what gets put into the file,
again, depending on the application in question.

You don't have to 'take control' of a program to use it to compromise
system security.

-- 
]] Mike Smith, Software Engineer        msmith@gsoft.com.au             [[
]] Genesis Software                     genesis@gsoft.com.au            [[
]] High-speed data acquisition and      (GSM mobile)     0411-222-496   [[
]] realtime instrument control.         (ph)          +61-8-8267-3493   [[
]] Unix hardware collector.             "Where are your PEZ?" The Tick  [[