At 08:20 PM 7/19/98 -0700, David Greenman wrote:
> I think people are fooling themselves if they think that making the stack
>non-executable is going to prevent any of the stack overflow related attacks
>from working (with minor mods of course). Most executables have plenty enough
>code mapped that in most cases it shouldn't be too difficult for the
exploiter
>to frob the stack a bit with some reasonable arguments and then push a non-
>stack function as the return address (plenty of yummy things to choose
from in
>shared libc, for example - including, but not limited to, execl()). This
>wouldn't require anything to execute from the stack, so making the stack
>non-executable wouldn't prevent this from working.
Unfortunately, without the use of call gates, there are still some exploits
that can be done. But far fewer.... You need to know exactly where things are
mapped in order to push the addresses of library routines as return addresses.
--Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message