Unexecutable Stack / Buffer

Helge Hafting helgehaf en idb.hist.no
Vie Ene 21 00:01:36 CST 2000


>Question: if you make data/stack segments
>unexecutable by default and provide a call
>to make it executable again for the few
>hundred programs that need it, wouldn't
>there be s.o. who could exploit the
>availability of such a call?

It doesn't matter.  It has been shown that
*all* the exploits that need the executable
stack works without it too.  So no need
to bloat the kernel with a syscall that
gives us nothing.

If you need to know:
Executable stack exploit overwrites
the return address with an address on stack,
and some code wich this address point to.
This is typically exec("/bin/sh")  as this gives
a root shell when the attack is run against some
powerful daemon.

Unexecutable stack exploit overwrite the return
address with the address of execve, as well as
the parameters to that call, wich is
a pointer to the string "/bin/sh"  This can usually
be found at a fixed address in standard libraries, or
you can push that too onto the stack.

So the protected stack gives you nothing, and there
is therefore no need for extra syscalls
to turn executable on for those special cases
that need it.

The protected stack don't even buy you temporary protection,
for the software used to auto-generate stack smashers
is easily upgradeable with this in mind.  

Helge Hafting

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



Más información sobre la lista de distribución Ayuda