[17467] in bugtraq
Re: announcing PaX
daemon@ATHENA.MIT.EDU (Marc Esipovich)
Thu Nov 2 13:26:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001102051807.A2323@marcellos.corky.net>
Date: Thu, 2 Nov 2000 05:18:07 +0200
Reply-To: Marc Esipovich <marc@CORKY.NET>
From: Marc Esipovich <marc@CORKY.NET>
X-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39FDBBB2.AA63A27E@bigfoot.com>; from Dylan_G@BIGFOOT.COM on Mon,
Oct 30, 2000 at 12:19:30PM -0600
.------[ Dylan Griffiths wrote (Mon, Oct 30, 2000 at 12:19:30PM -0600) ]------
|
| Voila. You didn't have to write any code, the _only_ thing you needed to
| know was where the library is loaded by default. And yes, it's
| library-specific, but hey, you just select one specific commonly used
| version to crash.
|
| Suddenly you have a root shell on the system.
|
| So it's not only doable, it's fairly trivial to do.
|
| In short, anybody who thinks that the non-executable stack gives them any
| real security is very very much living in a dream world. It may catch a
| few attacks for old binaries that have security problems, but the basic
| problem is that the binaries allow you to overwrite their stacks. And if
| they allow that, then they allow the above exploit. "
|
| And, let's not forget, this has been done before in Solar Designer's patch
| for Linux ( http://www.openwall.com/linux/ )
| " Non-executable user stack area
`-------------------------------------------------
This thing is very much different from Solar Designer's non-exec-*stack*
patch, this thing gives you the power to set a *real* non-exec protection
on any region of memory, let it be defined as stack, heap or data, basically
anything that's non-code can be non-executable too.
Workarounds for GCC trampolines, signal handlers and related issues are of
course needed, since most of the areas are now made non-executable.
Like others have noted, it is still possible to exploit buffer overruns,
however, it becomes more difficult.
Again, this is *not* a non-exec stack patch, it does a lot more than that,
read the document provided by the authors.
bye,
Marc.
--
marc @ corky.net
fingerprint = D1F0 5689 967F B87A 98EB C64D 256A D6BF 80DE 6D3C
/"\
\ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
