[3044] in bugtraq
Re: [linux-security] Linux NetKit-B update.
daemon@ATHENA.MIT.EDU (Aleph One)
Sun Aug 4 04:29:50 1996
Date: Sun, 4 Aug 1996 00:12:13 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
From: Casper Dik <casper@holland.Sun.COM>
>> 6. Buffer overflow in ping mentioned yesterday, but it's not on the
>> stack and consequently probably not exploitable. Patch: use snprintf.
>
>Stack vs. heap is irrelevant. The V6 'login' overrun bug was in data
>space, rather than on the stack, and it gave a very nice way to log in
>as root.
It *is* relevant. Overflows on teh stack can almost always be
exploited as you can put some code on teh stack and make the system return there.
When you overflow the data segment you have no control over the return
statement an dputting code there is no helpful. In some circumstances,
however, there just happen to be intersesting variables in the datasegment
after the buffer you can overflow.
Both the V6 login and one of the (many) rdist bugs are examples of data
layout that can be abused.
>No, I don't remember the exact character string to enter ... ;-)
I'm pretty sure it was something like "password<encrypted password string>"
Casper
