From owner-freebsd-security Sun Jul 19 21:46:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21300 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:46:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21295 for ; Sun, 19 Jul 1998 21:46:57 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id VAA08501; Sun, 19 Jul 1998 21:45:28 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: dg@root.com, Warner Losh , Archie Cobbs , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 22:00:53 MDT." <199807200400.WAA08903@lariat.lariat.org> Date: Sun, 19 Jul 1998 21:45:28 -0700 Message-ID: <8496.900909928@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Unfortunately, without the use of call gates, there are still some exploits > that can be done. But far fewer.... You need to know exactly where things are > mapped in order to push the addresses of library routines as return addresses And, considering the kinds of exploits I've been seeing released lately, is still well within the reach of your average exploit-writer. It only has to be puzzled out once (not difficult with easy access to both sources and release binaries) and then the skript-kiddies can take it and wreak their havoc without having to necessarily understand anything about the exploit. I doubt they understood the one used to hack you, for that matter. I agree with David - this is just locking the barn door while leaving all the windows open. Good for a false sense of security, nothing more, and only fundamentally missing the point that the only *effective* and worthwhile solution is to extensively audit the code. How many here just ran popper as root without even thinking about it, please raise your hands? I raise my own hand here, since I didn't look at the code for popper either, and I was just fortunate that I heard about the bug from folks on IRC and an early Bugtrax report and was able to close it before anything bad happened (to me). Once this security scare happened, however, and I actually DID look at the code for popper, my feelings were not of indignation and anger, my thoughts ran more along the lines of: "My god, this code is completely full of mice - it looks like it PREDATES any conventional notion of security! Ye gods, we've been running this code as *root*? This code, which I'm now seeing here?? Well fuck us all with the telephone poles we so richly deserve for being so damn complacent!" :-) Seriously, that code had so many potential exploits and stack overflows that I seriously doubt all the stack protection in the world would have saved you. It didn't need a band-aid, it needed a thorough audit which now, after all the horses have escaped the barn, seems to finally be happening. We adopted it, we recommended it and then we failed to give it even the most cursory audit. I know there are over 1500 ports now, but for those items which really do constitute "significant risk", I think that we could all afford to take a page from Theo's book and start going through stuff more methodically. The simple, painful fact is that people are running way too much random, unaudited stuff with root privilege on an Internet which has also become far more hostile than anything they may formerly have been accustomed to. The rules of that game have changed, period, and if you admin a Unix machine in the same manner that you used to back in the 80's then you Will Lose and make no mistake about it, the only question remaining being when and where. Those who can't audit should also, at the very minimum, subscribe to bugtrax and watch the usual geek-girl related announcements. If you're going on vacation, make sure that your machine is in the hands of someone who'll be doing this in your stead! Murphy's law practically demands that any significant security attack will happen on a friday evening before the start of a 3-day holiday weekend, or something, so plan accordingly and you won't be in here going "ahhh! ahhh! doctor, it hurt when they did *this*!" the week afterwards. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message