[39583] in Cypherpunks
Re: NYT on Netscape Crack
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Sep 20 10:08:49 1995
To: Ray Cromwell <rjc@clark.net>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Wed, 20 Sep 1995 00:03:04 EDT."
<199509200403.AAA14189@clark.net>
Reply-To: perry@piermont.com
Date: Wed, 20 Sep 1995 10:05:33 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Ray Cromwell writes:
> > >
> > > Sigh. For your information the security code for 1.x versions of
> > > netscape was not even written by someone from NCSA.
> >
> > If there is ANY place in the code that I can do a data driven buffer
> > overflow, I can force you to execute code that I supply. I don't give
> > a damn if it's in the "security" code. It makes no difference where it
> > is. If there is a chink, thats it -- you're meat.
>
> How would you do this if the buffer overflow happened in a buffer
> which was allocated in a separate protected heap apart from stack
> and executable data?
You could do that, but thats not how C does things. C allocates these
things on the stack. Overflow the buffer and you fandango on stack,
allowing you to change where the program counter jumps to on
subroutine exit, and allowing you to force your own machine code into
the system for execution.
I suspect that even were subroutine data allocated in a seperate heap
you could pull nasty tricks -- your protected heap probably has data
in it that controls execution flow, so cleverness might still get you
the same results.
Perry
