Date: Wed, 08 Dec 1999 23:20:50 +0100 From: Roelof Osinga <roelof@nisser.com> To: Alfred Perlstein <bright@wintelcom.net> Cc: Jonathon McKitrick <jcm@dogma.freebsd-uk.eu.org>, Kris Kennaway <kris@hub.freebsd.org>, freebsd-chat <chat@FreeBSD.ORG> Subject: Re: Yahoo hacked last night Message-ID: <384ED9C2.348253DC@nisser.com> References: <Pine.BSF.4.21.9912081154210.4557-100000@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alfred Perlstein wrote: > > For a function to be able to return to its caller it must store the > return address on the stack, what a buffer overflow generally does > is overwrite that return address with a pointer to some more data > on the stack which is actually machine instructions to exec a shell. How? Wouldn't it be a tremendous happenstance if the buffer that overflows actually just happens to be where the stack is? If you overflow a buffer you write bytes into dataspace where, in a protected environment, it won't get executed. No matter what you push onto the return stack. Worse, the i386 has several exceptions it can raise to signal stack over- and underflows so the stack could be a fairly well controlled environment. Actually, the same can be done for data space segments as well. Thereby preventing buffer overflows from overflowing into code space. Maybe if you had aliassed segments to allow access by anything to anything you could do this easily. But otherwise? Well... easily? Bit of an understatement <g>. Not only do you need the right bytes at the right time, you also need the right buffer to overflow so the right bytes get put at the right place. Would still be a neat trick. Roelof -- Home is where the (@) http://eboa.com/ is. Telekabel home http://nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?384ED9C2.348253DC>