From owner-freebsd-chat Wed Dec 8 11:18:36 1999 Delivered-To: freebsd-chat@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2A4F0157F8; Wed, 8 Dec 1999 11:18:25 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 04E271CD403; Wed, 8 Dec 1999 11:18:25 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 8 Dec 1999 11:18:24 -0800 (PST) From: Kris Kennaway To: Jonathon McKitrick Cc: freebsd-chat Subject: Re: Yahoo hacked last night In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Dec 1999, Jonathon McKitrick wrote: > One thing i never understood... why does a buffer overflow automatically > cause a root shell, or does it always? I mean, when i crash > programs, i get a core dump and that's it. Even with segmentation faults, > the memory protection seems quite robust, and the OS stays on its feet. > I've never been dropped to root on my own system, despite crashing. It happens because by carefully crafting the stuff which overflows the buffer (i.e. actually presenting machine-executable code instead of arbitrary data), the attacker can cause his code to be executed by the attacked machine (this is often why buffer overflows cause crashes, because the buffer overflowed into an area read and interpreted by the program, which can be exploited to change the execution of the program). This can lead to the execution of a shell under the user ID of whatever was running the exploited program - in the case of a daemon running as root, it would be a root shell. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message