From owner-freebsd-security  Mon Jun 29 09:35:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA16837
          for freebsd-security-outgoing; Mon, 29 Jun 1998 09:35:56 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA16810
          for <security@freebsd.org>; Mon, 29 Jun 1998 09:35:48 -0700 (PDT)
          (envelope-from imp@village.org)
Received: from harmony [10.0.0.6] 
	by rover.village.org with esmtp (Exim 1.71 #1)
	id 0yqguB-0002IA-00; Mon, 29 Jun 1998 10:35:47 -0600
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id KAA18811; Mon, 29 Jun 1998 10:35:46 -0600 (MDT)
Message-Id: <199806291635.KAA18811@harmony.village.org>
To: Vadim Kolontsov <vadim@tversu.ru>
Subject: Re: non-executable stack? 
Cc: security@FreeBSD.ORG
In-reply-to: Your message of "Mon, 29 Jun 1998 18:52:30 +0400."
		<19980629185230.A16373@tversu.ru> 
References: <19980629185230.A16373@tversu.ru>  <pfm@slack.net> <E0yprtC-0006B4-00@oak67.doc.ic.ac.uk> 
Date: Mon, 29 Jun 1998 10:35:45 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

: > execve of certain processes.  We still don't know if this will have any
: > effect on security though, since no-one has checked to see if its possible
: > to write shellcode using just printable ASCII. 

You can.  I've seen an example of how to do that, but didn't bother to
save it.  I've also seen how to do the same with DNS packets, which
must be nearly all in the range [a-zA-Z0-9-]+.  

I've not seen an example of this on Sparc, MIPS or Alpha, but have
been told by someone that I believe that he has code like this that
fits the bill.  The Alpha was the hardest, evidentally, for reasons
that he didn't elaberate on.

In message <19980629185230.A16373@tversu.ru> Vadim Kolontsov writes:
:   When I played with assembler under FreeBSD, I've created a version of such
: code. Basically it contains a little "decoder" which unpacks specially
: prepared shell code (I've solved almost the same problem programming
: self-unpacking UUENCODE files).

For those that think this is hard, you might want to check out
KERMIT.BOO.  This is a completely printable file that is used to
bootstrap the kermit installation process a long time ago (and maybe
still even today).

Checks for printable vs non-printable are bogus and don't buy any
extra security at the cost of inconvenience.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message