From owner-freebsd-chat  Wed Dec  8 14:22:17 1999
Delivered-To: freebsd-chat@freebsd.org
Received: from nisser.com (c1870039.telekabel.chello.nl [212.187.0.39])
	by hub.freebsd.org (Postfix) with ESMTP
	id B6DAB151E6; Wed,  8 Dec 1999 14:21:53 -0800 (PST)
	(envelope-from roelof@nisser.com)
Received: from nisser.com (roelof [10.0.0.2])
	by nisser.com (8.9.3/8.9.2) with ESMTP id XAA04106;
	Wed, 8 Dec 1999 23:20:18 +0100 (CET)
	(envelope-from roelof@nisser.com)
Message-ID: <384ED9C2.348253DC@nisser.com>
Date: Wed, 08 Dec 1999 23:20:50 +0100
From: Roelof Osinga <roelof@nisser.com>
Organization: eboa - engineering buro Office Automation
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Alfred Perlstein <bright@wintelcom.net>
Cc: Jonathon McKitrick <jcm@dogma.freebsd-uk.eu.org>,
	Kris Kennaway <kris@hub.freebsd.org>, freebsd-chat <chat@FreeBSD.ORG>
Subject: Re: Yahoo hacked last night
References: <Pine.BSF.4.21.9912081154210.4557-100000@fw.wintelcom.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Alfred Perlstein wrote:
> 
> For a function to be able to return to its caller it must store the
> return address on the stack, what a buffer overflow generally does
> is overwrite that return address with a pointer to some more data
> on the stack which is actually machine instructions to exec a shell.

How? Wouldn't it be a tremendous happenstance if the buffer that
overflows actually just happens to be where the stack is? If you
overflow a buffer you write bytes into dataspace where, in a
protected environment, it won't get executed. No matter what you 
push onto the return stack. Worse, the i386 has several exceptions
it can raise to signal stack over- and underflows so the stack could
be a fairly well controlled environment. Actually, the same can be
done for data space segments as well. Thereby preventing buffer
overflows from overflowing into code space.

Maybe if you had aliassed segments to allow access by anything to
anything you could do this easily. But otherwise?

Well... easily? Bit of an understatement <g>. Not only do you need
the right bytes at the right time, you also need the right buffer to
overflow so the right bytes get put at the right place. Would still
be a neat trick.

Roelof

-- 
Home is where the (@) http://eboa.com/ is.
Telekabel home http://nisser.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message