[17490] in bugtraq
Re: some PaX Q&A
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Nov 4 02:40:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <200011032248.RAA20550@Twig.Rodents.Montreal.QC.CA>
Date: Fri, 3 Nov 2000 17:48:57 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
> [PaX] reduces the ways [a buffer] overflow can be (ab)used by an
> attacker. namely, only already existing executable code (in the given
> tasks's address space) can be executed, but *NEVER* the payload (as
> long as no read/write/exec pages exist in the task, [...]).
What's to stop the attack from doing the bounce-off-libc trick to call
mprotect() to make the relevant page RO and executable, then into the
payload?
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
