Date: Sun, 19 Jul 1998 22:00:53 -0600 From: Brett Glass <brett@lariat.org> To: dg@root.com Cc: Warner Losh <imp@village.org>, Archie Cobbs <archie@whistle.com>, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807200400.WAA08903@lariat.lariat.org> In-Reply-To: <199807200320.UAA24309@implode.root.com> References: <Your message of "Sun, 19 Jul 1998 20:10:39 MDT." <199807200210.UAA07188@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:20 PM 7/19/98 -0700, David Greenman wrote: > I think people are fooling themselves if they think that making the stack >non-executable is going to prevent any of the stack overflow related attacks >from working (with minor mods of course). Most executables have plenty enough >code mapped that in most cases it shouldn't be too difficult for the exploiter >to frob the stack a bit with some reasonable arguments and then push a non- >stack function as the return address (plenty of yummy things to choose from in >shared libc, for example - including, but not limited to, execl()). This >wouldn't require anything to execute from the stack, so making the stack >non-executable wouldn't prevent this from working. Unfortunately, without the use of call gates, there are still some exploits that can be done. But far fewer.... You need to know exactly where things are mapped in order to push the addresses of library routines as return addresses. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807200400.WAA08903>