[413] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Fisher Mark)
Fri Feb 17 08:42:07 1995
From: Fisher Mark <FisherM@is3.indy.tce.com>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Fri, 17 Feb 95 05:22:00 PST
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Robert B. Denny writes in
<Chameleon.950216202647.rdenny@rdenny.west.ora.com>:
>No, separate instruction and data space (I&D space). It's been around
>for many years. Later PDP-11 models had it, e.g.
The necessary permission bit, if the processor supports multiple pages
and/or segments per process, is a bit for execute vs. not-execute per
page/segment. I believe that even the Intel 80x86 family (286 & above)
supports this bit. A properly written OS on hardware with an execute bit
does not allow executing random code from data space. On the other hand, it
would likely be impossible to efficiently protect against executing random
compiled/assembled code out of data space on a processor without this bit.
Under PDP-11 UNIX you had to go through some contortions to execute code out
of nominal data space, contortions that I believe had to be performed inside
the UNIX OS. I think that SCO Xenix (and probably SCO UNIX) use the execute
bit permission on Intel 80x86 processors.
Once you have the execute bit, this kind of attack is relatively easy to
prevent if the OS does not give you a back door to get around it. Most UNIX
versions last I knew did not have this back door except to the extent needed
for creating debuggers, i.e. you can't be running as "fisherm" and use the
debugger on a program that executes as "root" -- you can only use the
debugger on programs that will run under your user ID. The debugger
capability just gives you an incredibly obscure way to run the same code
with the same permissions that you could write&run directly.
As far as a proper language goes -- if the language permits either
non-bounds-checked array accesses or pointers it can be compromised to write
out-of-bounds data.
======================================================================
Mark Fisher Thomson Consumer Electronics
fisherm@indy.tce.com Indianapolis, IN
"Just as you should not underestimate the bandwidth of a station wagon
traveling 65 mph filled with 8mm tapes, you should not overestimate
the bandwidth of FTP by mail."
