Date: Mon, 29 Jun 1998 14:48:04 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: njs3@doc.ic.ac.uk (Niall Smart), Patrick McAndrew <pfm@slack.net>, jtb <jtb@pubnix.org> Cc: Wojciech Sobczuk <sopel@hood.1lo.lublin.pl>, fpscha@schapachnik.com.ar, ncb05@uow.edu.au, security@FreeBSD.ORG Subject: Re: non-executable stack? Message-ID: <199806292148.OAA26760@salsa.gv.tsc.tdk.com> In-Reply-To: njs3@doc.ic.ac.uk (Niall Smart) "Re: non-executable stack?" (Jun 27, 11:07am)
next in thread | raw e-mail | index | archive | help
On Jun 27, 11:07am, Niall Smart wrote:
} Subject: Re: non-executable stack?
} You misunderstand. My proposal, seemingly seconded by jtb, was to
} allow the administrator to disallow the presence of non-printable ascii
} characters in the environment or command line arguments at the time of
} execve of certain processes. We still don't know if this will have any
} effect on security though, since no-one has checked to see if its possible
} to write shellcode using just printable ASCII. It would certainly
} make life difficult for the attacker, since it would be impossible to
} overwrite the saved eip with an address on the stack since the stack
} is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx.
>From my archives of the firewalls mail list:
--- Forwarded mail from padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
>From firewalls-relay@tus.ssi1.COM Wed Dec 21 15:30:26 1994
Date: Wed, 21 Dec 94 15:12:55 -0500
Message-Id: <9412212012.AA09780@uvs1.orl.mmc.com>
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com
Subject: Example of the futility of determining contents from packets
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk
Status: OR
Once again the question was asked if a packet filter can detect
viruses and I responded "No" at least not without a *very* complex
determination first of WHAT the program is, and WHICH platform it
is intended for. The following short executable program is an example
of this (note that it is pgp *signed* and not "converted" to ASCII)
executable ASCII using a mechanism to allow the passage of .COM files
through E-mail gateways.
Unlike UUENCODED files though, the ASCII itself is executable - if
I had sent it without the PGP signature, many systems could execute
it directly from the mail window.
Extracted with PGP switch -o CARD.COM it becomes a DOS executable
program 2064 bytes long. You *could* just strip the header off (down
to the line that starts "XP[@PPD...") and execute that if you feel
brave (the trailing signature lines do not matter).
But the point is that I could have used the "ASCIIzer" (YAAA) recursively
to additionally wrap the contents (in an experiment I recursively ran
it on itself until the original 1k binary had become a 45k "Katchina
Doll" that was still executable).
Meanwhile, if nothing else, Happy Holidays,
Padgett
ps this is a later version (but still a "beta") than Rob rote about
in CUD - for easy checking, all lines are 64d/40h characters long.
pps The tune sounds OK to me but remember, I have been wearing
hearing aids for over 20 years & every speaker is different.
-----BEGIN PGP SIGNED MESSAGE-----
XP[@PPD]5`P(f#(f((f?5!QP^P_u!2$=po}l=!!rZF*$*$ =0%GF%!!%PP$P$Ps-
$l%gmZ$rl6lW$rm6mWlVl6m=ldmAlv%fmvmB%Xm6lW%Xm6mWl6m6m=ld%ylVmqlJ
mqlRmqlNmqlBlWl6m6l/m'l/m3mql8mrm4mql:mAm1l\m/mPl.%tm5$j$Xm5mBmg
m6mWl6l6lZl6m.mZlvl5lB$wl6lZl6m.mZ$bl4lB%|l6lZl6%ZmZl&%vlBl$l6lZ
l!m#mWlVm4lB%wl6lZl!m#mW$rl3lB${l6lZl!%{mW$Zm5lB$wl6lBl.l6lBmbl6
mB%dm6l3mYl6lZlomUm=mam3mUlZl6l5%ymIlYl6m+mPl.l\m2lYm)l5mPm&mUl3
mYl6lZlomUmZm6l6lYl*l6lBm-l6m3mUl3mYl6lZlomUmZm6l6lYl(l6lBm+l6m3
mU%jm=ma%f%ulQ%Y$lmvmSlgl6m!m:m!m:mumVl5mAmAlBm$l6mvmSlil6lBl'l6
%jm=ma%fmum?l5lBl,l6mumSl5%ulQ%Yl$mvmSlkl6m!m:m!m:mumVl5mAmG$jmv
m?lgl6mflHm6mamflGm6mvmSlgl6ma$fmUmnl,lYl'lZl6$_m!m:mum?m5mZl5l6
mamamvmSlhl6lEl:mUl3%glZl6lZlolVmWlZm6lZm/m/mamvmSlhl6lZmPm/mal7
lVmal7lRmamvmSlhl6lZlYm/ma%cm3mUl&l&l&l&l&l&l&l&l&l&l&l&%g%^%Y$^
%^$[%_l&%V%[%Xl&%b$[$`l&%V%[%X$Y%Yl&$X$^%`l&%_$Y%`%`$X%^$[%_%Yl&
%[$_l&$m%[%Vl&%b$[$`l&$i%`%\%`%\$a%`$Y%b$[%a%`m0l1l&l&l&l&l&l&l&
l&l&l&l&l&%^$[l&$X$^%^%Yl&$n%[$\%^$`%b%Vl&%i%`%b%Y%[$[${l1%g%b$Y
%\$\%V$|l1$j%b$`%_%`$X$X$|l&$l%^$[$`%b$|l&l#l&%o%`%[$_$_%`$Y%Vl$
l3lZl2%xmPm&mrl'$pm5lpl3$om5l'm3lY$wm5lZl2m$mPm&lW%nm5m`m1lV$X$w
$j%ylVl^l[lC%q$flC$qlqlTlC$qlD%bl0m5lC%bl`le$nm5lB$nl6lD%bl$l8lC
%bl\m1mPm&l7lV$Xm2l`le$nm5lB%yl6mAmRl\l2mPm&l'mql+$pm5lol'$om5lZ
l2m$mPm&m'mWl6l6lZl6m+mZl6$rmWl6l6lB%{l7lZl6l5%ymIlYl6l6mPl.lZl6
$lmPm&lv$s$nm5l6%Wm:mU$j%ylV${lf$nm5$n${le$nm5$flAl6l6l6l6l6l7l5
l2m6mGm1m3m6mGm1m5m6lll1m5m6mGm1m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/
m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5
m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5
m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1
m3m6mGm1m3m6lVl0l1m6lVl0m3m6mGm1m3m6lVl0m3m6m$m/m3m6l7l5l1m6l7l5
m3m6$Zm2m3m6lll1m3m6mGm1m3m6l>m3m3m6l7l5m3m6l7l5m5m6l7l5m5m6m$m/
m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1m5m6lll1m5m6mGm1
m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1
m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2
m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0
m3m6mGm1l1l.l6l6pp_YAAA_v1.02_copyright_(C)_1994_by_Padgett_____
-----BEGIN PGP SIGNATURE-----
Version: 2.7
iQCVAgUBLvgNcYVuK+48ORdVAQEjDQP+Ndm2FryRXkUzW47E+88jCCZi/VPSqJ57
l08JPkBc3P6BX9nh8bJjcJXrmmwa0mgFaH6Ov96jQ1kk+Q+NEEL45TiAy5k4oHH2
F5SaGhh7AQ2OOtSgXfXpLkh1FRIVzO+INL/af3+GFdG62rswztUEhGieslu+1bF/
dFqWpAGxuHE=
=Xf/8
-----END PGP SIGNATURE-----
--- End of forwarded message from padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806292148.OAA26760>