From owner-freebsd-security  Sun Jul 19 15:18:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA01738
          for freebsd-security-outgoing; Sun, 19 Jul 1998 15:18:45 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01730
          for <security@freebsd.org>; Sun, 19 Jul 1998 15:18:43 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id QAA03558;
	Sun, 19 Jul 1998 16:18:24 -0600 (MDT)
Message-Id: <199807192218.QAA03558@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Sun, 19 Jul 1998 16:18:22 -0600
To: security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: The 99,999-bug question: Why can you execute from the
  stack?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:43 PM 7/19/98 +0000, you wrote:
 
>Making the stack non executable doesn't stop buffer overflow attacks;
>see www.geek-girl.com/bugtraq/ for more information.

It should stop most of them. I could imagine a situation where one
subverted a program by changing its data (for example, one could
force commands into an interpreter by putting them into higher
stack frames).

However, the most common method seems to be to plant a bogus return
address that points to machine code that does the cracker's bidding.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message