Michael H. Warfield writes:
> I use to be in the same school of though on this vis-a-vis
> the non-executable stack and then saw one example that changed my mind
> forever. It's basically a proof that for each and every executable
> stack exploit, there must be at least one non-executable stack exploit
> that is as easy or easier to impliment (no assembly required :-) ) than
> the executable stack exploit. All it requires is two addresses and a
> string for the payload of the exploit. The addresses are the address
> to access the system call and the address of the string and would be
> platform, application, and implimentation specific. Here is the string:
>
> echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd /tmp/h
Well then, there are two easy ways to stop this attack.
First of all, you can mess up the address of the string by
randomizing the initial stack pointer. One might be willing
to use 10 to 16 bits of randomness. If a failed attack kills
the daemon, it is not likely the attack will succeed.
Second of all, you can mess up the address of the system call
by randomizing where the library is loaded. Same as above,
you might use 10 to 16 bits of randomness. The attacker gets
only one chance if the daemon crashes.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:14 EST