From owner-freebsd-security  Sun Jul 19 13:47:48 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA19633
          for freebsd-security-outgoing; Sun, 19 Jul 1998 13:47:48 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA19625
          for <security@freebsd.org>; Sun, 19 Jul 1998 13:47:44 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id OAA02264;
	Sun, 19 Jul 1998 14:47:27 -0600 (MDT)
Message-Id: <199807192047.OAA02264@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Sun, 19 Jul 1998 14:47:25 -0600
To: security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: The 99,999-bug question: Why can you execute from the stack?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

We're going to be spending about a man-month rebuilding a complex system
that was hacked due to a buffer overflow exploit. Looking back at our
system log files, I can see exactly how the hack was done and how the
perpetrator was able to get root.

What I CAN'T understand is why FreeBSD allows the hack to occur. Why on
Earth would one want to allow code to be executed from the stack? The Intel
segmentation model normally prevents this, and there's additional hardware
in the MMU that's supposed to be able to preclude it. Why does the OS leave
this gigantic hole open? Why not just close it?

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message