From owner-freebsd-security  Sun Aug 16 07:08:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA14389
          for freebsd-security-outgoing; Sun, 16 Aug 1998 07:08:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14384
          for <freebsd-security@FreeBSD.ORG>; Sun, 16 Aug 1998 07:08:40 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id CAA07068;
	Mon, 17 Aug 1998 02:05:38 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Mon, 17 Aug 1998 02:05:38 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK>
In-Reply-To: <19980816151056.63692@deepo.prosa.dk>
Message-ID: <Pine.BSF.3.96.980817015746.326O-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 16 Aug 1998, Philippe Regnauld wrote:

> Niall Smart writes:
> > > 
> > > 	The point was to limit the number of outside attacks on 
> > > 	priviledged network daemons.  Once the system has been broken
> > > 	into, it's over...  "Just keep people out"
> > 
> > I'm not sure what you mean by this; disabling execve doesn't prevent
> > outside attacks on network daemons.
> 
> 	No, but it will prevent buffer overflows that spawn a root shell
> 	(i.e.: qpopper) -- or am I missing something ?

As I understand it, this would mean that instead of getting a small piece
of code with embedded shell code to execute, the attacker would have to do
what they want to by using other system calls, requiring slightly more
effort to customize the result of an attack. 

ie instead of spawning a rootshell, or executing a shell command, the
exploit would include commands to perhaps open a file and modify it.

Given root perms, and file access, it's not dificult to imagine places
where a shell command could be written to disk in order to get it executed
soon afterwards.  if an interactive shell is needed, then code to modify
/etc/master.passwd, or /etc/inetd.conf can be written into object code
little bigger than used by current exploits.

Andrew McNaughton




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message