[14876] in bugtraq
=?gb2312?B?u9i4tDogICAgICBSZTogbm9uLWV4ZWMgc3RhY2s=?=
daemon@ATHENA.MIT.EDU (ZhaoQian)
Fri May 12 00:03:06 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: 7bit
Message-Id: <000c01bfbae4$17fb05a0$1614a8c0@starocean.jadebird.pku.edu.cn>
Date: Thu, 11 May 2000 08:59:00 +0800
Reply-To: ZhaoQian <zhaoqian@JADEBIRD.PKU.EDU.CN>
From: ZhaoQian <zhaoqian@JADEBIRD.PKU.EDU.CN>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
>>Hi,
>>
>>On Mon, May 08, 2000 at 10:06:04AM +0200, Casper Dik wrote:
>>> >Here's an overflow exploit that works on a non-exec stack on x86 boxes.
>>> >It demonstrates how it is possible to thread together several libc
>>> >calls. I have not seen any other exploits for x86 that have done
this..
>>>
>>> Non-executable stacks do not work in Solaris/x86.
>>>
>>> It is impossible to give page level protection that prevents
>>> execution on the x86 architecture.
>>
>>Hmmm, so how do they do that on Linux? I thought Solar Designer had a
>>non-exec-stack patch for Linux.
>
>
>Yes, but I don't think you can "mprotect" that stack back page by
>page to allow execute permission.
>
>Casper
Solar Designer use segment protect mechanism to implement "hardware
protect",
but BSS/Heap overflow also works on those boxes.
