Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds
Brandon S. Allbery KF8NH (allbery@kf8nh.apk.net)
Tue, 04 Aug 1998 21:23:03 -0300
In message <Pine.LNX.3.96.980804182414.7515A-100000@z.ml.org>,
linker@z.ml.org
writes:
+-----
| On Wed, 5 Aug 1998, Geert Uytterhoeven wrote:
| > On Tue, 4 Aug 1998 linker@z.ml.org wrote:
| > > As for changing the address to someplace in libc, couldn't we relocated
| > > all libs so that they have a null byte in their address?
| > What are you trying to achieve with this? Sorry, I don't get it.
|
| The copy routines that people exploit copy null terminated strings. So the
| exploiter must make their exploit code void of null characters, because
| sending one will stop the copy. If you make it tougher to form a pointer
| to that 'bad' functions without using null characters then it makes their
| job harder.
+--->8
So they do two copies instead of one, with the second placing the NUL where
it's wanted. I see no major improvement here.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering
carnegie mellon university (bsa@kf8nh is still valid.)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html