From owner-freebsd-chat Sun Feb 16 22:29:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA27064 for chat-outgoing; Sun, 16 Feb 1997 22:29:59 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA27055 for ; Sun, 16 Feb 1997 22:29:52 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id QAA08745; Mon, 17 Feb 1997 16:59:38 +1030 (CST) From: Michael Smith Message-Id: <199702170629.QAA08745@genesis.atrad.adelaide.edu.au> Subject: Re: Countering stack overflow In-Reply-To: <199702170607.QAA08532@genesis.atrad.adelaide.edu.au> from Michael Smith at "Feb 17, 97 04:37:50 pm" To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Mon, 17 Feb 1997 16:59:37 +1030 (CST) Cc: cmott@srv.net, msmith@atrad.adelaide.edu.au, freebsd-chat@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-chat@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Michael Smith stands accused of saying: > Charles Mott stands accused of saying: > > > > The only mechanism I have seen for an intruder to gain control of the > > executable stream is to rewrite a return address on the stack. I don't > > see how an overflow of a malloc()'ed buffer can allow someone to gain > > control of your machine. > > Think "change the behaviour of a function by altering its local > variables". I should have pointed out here that munging values on the heap is also quite rewarding. Try spewing "///////////////////.../path/filename" over the heap on an application that you know writes a private logfile and keeps the path to said logfile on the heap. If you can provide bogus input that gets logged as part of the message, you may even be able to control what gets put into the file, again, depending on the application in question. You don't have to 'take control' of a program to use it to compromise system security. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[