Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jun 1998 12:15:07 +0400
From:      "bazilio" <bazilio@monitor.voronezh.su>
To:        <freebsd-security@FreeBSD.ORG>
Cc:        <andrew@squiz.co.nz>
Subject:   Re: non-executable stack?
Message-ID:  <199806290901.CAA06183@hub.freebsd.org>

next in thread | raw e-mail | index | archive | help

On Sun, 28 Jun 1998 17:26:30 +1200 (NZST) you wrote:

>> You misunderstand.  My proposal, seemingly seconded by jtb, was to
>> allow the administrator to disallow the presence of non-printable ascii
>> characters in the environment or command line arguments at the time of
>> execve of certain processes.  We still don't know if this will have any
>> effect on security though, since no-one has checked to see if its
possible
>> to write shellcode using just printable ASCII.  It would certainly
>> make life difficult for the attacker, since it would be impossible to
>> overwrite the saved eip with an address on the stack since the stack
>> is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx.
>> 
>> Niall


>I know next to nothing about assembly level programming, but if you mean
>that there is a problem because 0xFF and 0xEF are out of bounds, then I
>figure this means very little if the attacker has access to a small range
>of arithmetic or bitwise operators to generate these characters.  With a
>little more effort, byte values could perhaps be borrowed from elsewhere,
>copying them from addressable locations.

	It's true, but I think addition of this checking will force attackers to
make
much more efforts. Arith and bitwise instructions can make anymore, but an
exploiting 
code must contain instructions to obtain current %eip value, which is very
hard without
some opcodes. Also I think that we must add sanity check not for printable
characters, 
but for arch-specific exploit dangerous magic numbers and its sequences.

>Andrew McNaughton

Thanks,  Vasily.

I prefer to use FreeBSD at all.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806290901.CAA06183>