> On Tue, 4 Aug 1998, Alan Cox wrote:
> >
> > Its actually very hard to get anything beyond a denial of service attack
> > via libc vectors. Its doable
>
> It's _really_ easy. You do something like this:
> - overflow the buffer on the stack, so that the return value is
> overwritten by a pointer to the "system()" library function.
> - the next four bytes are crap (a "return pointer" for the system call,
> which you don't care about)
> - the next four bytes are a pointer to some random place in the shared
> library again that contains the string "/bin/sh" (and yes, just do a
> strings on the thing and you'll find it).
>
> Voila. You didn't have to write any code, the _only_ thing you needed to
> know was where the library is loaded by default. And yes, it's
> library-specific, but hey, you just select one specific commonly used
> version to crash.
>
> Suddenly you have a root shell on the system.
>
> So it's not only doable, it's fairly trivial to do.
>
> In short, anybody who thinks that the non-executable stack gives them any
> real security is very very much living in a dream world. It may catch a
> few attacks for old binaries that have security problems, but the basic
> problem is that the binaries allow you to overwrite their stacks. And if
> they allow that, then they allow the above exploit.
>
> It probably takes all of five lines of changes to some existing exploit,
> and some random program to find out where in the address space the shared
> libraries tend to be loaded.
>
> Linus
This heated discussion (vicious argument?) has all been informative
and interesting, and as a totally apathetic observer I can see just
why each "side" is arguing for/against the feature.
However I'm more interested in what the nay-sayers are proposing as
an alternative. Is there a kernel-supported way for user space apps
to declare "no, I don't believe I have any buffer overflow exploits
so if you, the kernel, see any buffer overflows, then plz terminate
me with great prejudice"?
Is there any way of doing this entirely in user space? Preferably a
solution which isn't along the lines of "don't use languages like C
or C++ which allow for this sort of exploit".
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html