From owner-freebsd-security Sun Jul 19 14:56:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA28776 for freebsd-security-outgoing; Sun, 19 Jul 1998 14:56:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA28768 for ; Sun, 19 Jul 1998 14:56:52 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id OAA18816; Sun, 19 Jul 1998 14:55:59 -0700 (PDT) Message-Id: <199807192155.OAA18816@implode.root.com> To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 14:47:25 MDT." <199807192047.OAA02264@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Sun, 19 Jul 1998 14:55:59 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >We're going to be spending about a man-month rebuilding a complex system >that was hacked due to a buffer overflow exploit. Looking back at our >system log files, I can see exactly how the hack was done and how the >perpetrator was able to get root. > >What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >Earth would one want to allow code to be executed from the stack? The Intel >segmentation model normally prevents this, and there's additional hardware >in the MMU that's supposed to be able to preclude it. Why does the OS leave >this gigantic hole open? Why not just close it? Two words: Signal Trampoline. For an explaination, see the mailing list archives for -hackers, search for 'signal trampoline'. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message