Date: Wed, 8 Dec 1999 15:03:28 -0800 (PST) From: Alfred Perlstein <bright@wintelcom.net> To: Roelof Osinga <roelof@nisser.com> Cc: Jonathon McKitrick <jcm@dogma.freebsd-uk.eu.org>, Kris Kennaway <kris@hub.freebsd.org>, freebsd-chat <chat@FreeBSD.ORG> Subject: Re: Yahoo hacked last night Message-ID: <Pine.BSF.4.21.9912081457560.4557-100000@fw.wintelcom.net> In-Reply-To: <384ED9C2.348253DC@nisser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Dec 1999, Roelof Osinga wrote: > Alfred Perlstein wrote: > > > > For a function to be able to return to its caller it must store the > > return address on the stack, what a buffer overflow generally does > > is overwrite that return address with a pointer to some more data > > on the stack which is actually machine instructions to exec a shell. > > How? Wouldn't it be a tremendous happenstance if the buffer that > overflows actually just happens to be where the stack is? It's common in C where automatic variables are allocated on the stack. > If you > overflow a buffer you write bytes into dataspace where, in a > protected environment, it won't get executed. Not if it's on the stack. > No matter what you > push onto the return stack. Worse, the i386 has several exceptions > it can raise to signal stack over- and underflows so the stack could > be a fairly well controlled environment. Actually, the same can be > done for data space segments as well. Thereby preventing buffer > overflows from overflowing into code space. The problem is that memory protection can really only be done in page-sized chunks. > Maybe if you had aliassed segments to allow access by anything to > anything you could do this easily. But otherwise? The stack is executable, check the mailing lists for "trampoline" this hasn't come up in almost a year. > Well... easily? Bit of an understatement <g>. Not only do you need > the right bytes at the right time, you also need the right buffer to > overflow so the right bytes get put at the right place. Would still > be a neat trick. It's not difficult if you have the source or a lot of time on your hands. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912081457560.4557-100000>