|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: announcing PaX
From: Marc Esipovich (marc
CORKY.NET)Date: Wed Nov 01 2000 - 21:18:07 CST
- Next message: Claes Nyberg: "Redhat 6.2 dump Exploit"
- Previous message: Gerald Carter: "Re: Samba 2.0.7 SWAT vulnerabilities"
- In reply to: Dylan Griffiths: "Re: announcing PaX"
- Reply: Marc Esipovich: "Re: announcing PaX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
.------[ Dylan Griffiths wrote (Mon, Oct 30, 2000 at 12:19:30PM -0600) ]------
|
| Voila. You didn't have to write any code, the _only_ thing you needed to
| know was where the library is loaded by default. And yes, it's
| library-specific, but hey, you just select one specific commonly used
| version to crash.
|
| Suddenly you have a root shell on the system.
|
| So it's not only doable, it's fairly trivial to do.
|
| In short, anybody who thinks that the non-executable stack gives them any
| real security is very very much living in a dream world. It may catch a
| few attacks for old binaries that have security problems, but the basic
| problem is that the binaries allow you to overwrite their stacks. And if
| they allow that, then they allow the above exploit. "
|
| And, let's not forget, this has been done before in Solar Designer's patch
| for Linux ( http://www.openwall.com/linux/ )
| " Non-executable user stack area
`-------------------------------------------------
This thing is very much different from Solar Designer's non-exec-*stack*
patch, this thing gives you the power to set a *real* non-exec protection
on any region of memory, let it be defined as stack, heap or data, basically
anything that's non-code can be non-executable too.
Workarounds for GCC trampolines, signal handlers and related issues are of
course needed, since most of the areas are now made non-executable.
Like others have noted, it is still possible to exploit buffer overruns,
however, it becomes more difficult.
Again, this is *not* a non-exec stack patch, it does a lot more than that,
read the document provided by the authors.
bye,
Marc.
-- marcfingerprint = D1F0 5689 967F B87A 98EB C64D 256A D6BF 80DE 6D3C
/"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \
- Next message: Claes Nyberg: "Redhat 6.2 dump Exploit"
- Previous message: Gerald Carter: "Re: Samba 2.0.7 SWAT vulnerabilities"
- In reply to: Dylan Griffiths: "Re: announcing PaX"
- Reply: Marc Esipovich: "Re: announcing PaX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]