From owner-freebsd-security  Sun Jul 19 21:01:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA13801
          for freebsd-security-outgoing; Sun, 19 Jul 1998 21:01:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA13787
          for <security@FreeBSD.ORG>; Sun, 19 Jul 1998 21:01:16 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id WAA08903;
	Sun, 19 Jul 1998 22:00:54 -0600 (MDT)
Message-Id: <199807200400.WAA08903@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Sun, 19 Jul 1998 22:00:53 -0600
To: dg@root.com
From: Brett Glass <brett@lariat.org>
Subject: Re: The 99,999-bug question: Why can you execute from the
  stack? 
Cc: Warner Losh <imp@village.org>, Archie Cobbs <archie@whistle.com>,
        security@FreeBSD.ORG
In-Reply-To: <199807200320.UAA24309@implode.root.com>
References: <Your message of "Sun, 19 Jul 1998 20:10:39 MDT."             <199807200210.UAA07188@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 08:20 PM 7/19/98 -0700, David Greenman wrote:
 
>   I think people are fooling themselves if they think that making the stack
>non-executable is going to prevent any of the stack overflow related attacks
>from working (with minor mods of course). Most executables have plenty enough
>code mapped that in most cases it shouldn't be too difficult for the
exploiter
>to frob the stack a bit with some reasonable arguments and then push a non-
>stack function as the return address (plenty of yummy things to choose
from in
>shared libc, for example - including, but not limited to, execl()). This
>wouldn't require anything to execute from the stack, so making the stack
>non-executable wouldn't prevent this from working.

Unfortunately, without the use of call gates, there are still some exploits
that can be done. But far fewer.... You need to know exactly where things are 
mapped in order to push the addresses of library routines as return addresses.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message