From owner-freebsd-security Mon Jun 29 02:01:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA06209 for freebsd-security-outgoing; Mon, 29 Jun 1998 02:01:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from monitor.voronezh.su (dialup33.vrn.ru [195.98.64.191]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA06183 for ; Mon, 29 Jun 1998 02:01:00 -0700 (PDT) (envelope-from BAZILIO@monitor.voronezh.su) Message-Id: <199806290901.CAA06183@hub.freebsd.org> Received: from bazilio [192.168.100.21] by monitor.voronezh.su [127.0.0.1] with SMTP (MDaemon.v2.7.SP0.R) for ; Mon, 29 Jun 98 12:17:15 +0400 From: "bazilio" To: CC: Subject: Re: non-executable stack? Date: Mon, 29 Jun 1998 12:15:07 +0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jun 1998 17:26:30 +1200 (NZST) you wrote: >> You misunderstand. My proposal, seemingly seconded by jtb, was to >> allow the administrator to disallow the presence of non-printable ascii >> characters in the environment or command line arguments at the time of >> execve of certain processes. We still don't know if this will have any >> effect on security though, since no-one has checked to see if its possible >> to write shellcode using just printable ASCII. It would certainly >> make life difficult for the attacker, since it would be impossible to >> overwrite the saved eip with an address on the stack since the stack >> is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx. >> >> Niall >I know next to nothing about assembly level programming, but if you mean >that there is a problem because 0xFF and 0xEF are out of bounds, then I >figure this means very little if the attacker has access to a small range >of arithmetic or bitwise operators to generate these characters. With a >little more effort, byte values could perhaps be borrowed from elsewhere, >copying them from addressable locations. It's true, but I think addition of this checking will force attackers to make much more efforts. Arith and bitwise instructions can make anymore, but an exploiting code must contain instructions to obtain current %eip value, which is very hard without some opcodes. Also I think that we must add sanity check not for printable characters, but for arch-specific exploit dangerous magic numbers and its sequences. >Andrew McNaughton Thanks, Vasily. I prefer to use FreeBSD at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message