Date: Sun, 19 Jul 1998 14:55:59 -0700 From: David Greenman <dg@root.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807192155.OAA18816@implode.root.com> In-Reply-To: Your message of "Sun, 19 Jul 1998 14:47:25 MDT." <199807192047.OAA02264@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>We're going to be spending about a man-month rebuilding a complex system >that was hacked due to a buffer overflow exploit. Looking back at our >system log files, I can see exactly how the hack was done and how the >perpetrator was able to get root. > >What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >Earth would one want to allow code to be executed from the stack? The Intel >segmentation model normally prevents this, and there's additional hardware >in the MMU that's supposed to be able to preclude it. Why does the OS leave >this gigantic hole open? Why not just close it? Two words: Signal Trampoline. For an explaination, see the mailing list archives for -hackers, search for 'signal trampoline'. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807192155.OAA18816>