18 Aug
2006
18 Aug
'06
11:42 a.m.
David Holland wrote:
On Fri, 2006-08-18 at 17:59 +0000, Jules Richardson wrote:
Yes, but if your OS marked data segments as "no execute",
this problem would go away, right?
You would then be forcing the hacker to twiddle the stack in
the hopes of getting some *unintended* portion of *your*
code to execute -- but that code would have to reside in
a loaded TEXT segment (else it would be "no-execute")
Or, is there some *other* way around this that I haven't
anticipated? :-(
As an aside: I've never quite understood
these OS image vunerabilities.
Doesn't any modern OS provide sufficient protection such that a process can't
just stomp all over memory at random? Unless the problem is just a Windows
thing...
No, its more than just a windows thing.
Most of the vulnerabilities I've read about (and understood) have been
of the "trash the stack" sort.
You hand off a specially crafted input source (be it an image, a http
post, or even command line argument. )
That triggers some boundary condition in the routine which replaces the
proper return address on the machine stack w/ your own specified
address. (Which is usually the address of some machine code you
embedded in your input source.)
Upon return from the routine, the process goes to your code, which does
whatever... I've seen them work..The really interesting ones
are somewhat difficult
to come up with, but far from impossible.