From owner-freebsd-security  Mon Jul 20 09:16:16 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA25226
          for freebsd-security-outgoing; Mon, 20 Jul 1998 09:16:16 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25219
          for <security@freebsd.org>; Mon, 20 Jul 1998 09:16:13 -0700 (PDT)
          (envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id KAA05548;
	Mon, 20 Jul 1998 10:13:14 -0600 (MDT)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id KAA07117; Mon, 20 Jul 1998 10:13:11 -0600
Date: Mon, 20 Jul 1998 10:13:11 -0600
Message-Id: <199807201613.KAA07117@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Warner Losh <imp@village.org>
Cc: Archie Cobbs <archie@whistle.com>, brett@lariat.org (Brett Glass),
        security@FreeBSD.ORG
Subject: Re: The 99,999-bug question: Why can you execute from the stack? 
In-Reply-To: <199807200148.TAA07794@harmony.village.org>
References: <199807200102.SAA07953@bubba.whistle.com>
	<199807200148.TAA07794@harmony.village.org>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[ Making the stack non-executable ]

> : As an almost-example of why executing on the stack is not completely
> : crazy, consider JIT-compiling Java runtimes like kaffe. These dynamically
> : compile Java methods into i386 executable instructions, then execute
> : those methods. Kaffe actually does this on the heap I think, but it just
> : as reasonable if it wanted to do it on the stack (eg, perhaps some kind
> : of temporary method, trampoline code to get things going, etc).
> 
> I think that most, but not all, of the problems can be fixed by making
> the stack non-executables for set[gu]id binaries.

This wouldn't have done a thing for Brett, since it appears he was
attacked via the bug in popper, which is not setuid but runs out of
inetd.

Programs that run out of inetd have been the majority of the 'external'
breakin programs used if you throw out sendmail. :)



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message