Bugtraq mailing list archives
Re: your mail
From: stuckey () mrcnext cso uiuc edu (Anthony J. Stuckey)
Date: Wed, 27 Sep 1995 15:05:13 -0500
Hey folks, I need to know about this 'stack overwriting thing' thet is so lively discussed. As I understand it (and correct me if I'm wrong), the point is to pass in data to a non-bound checking routine (like syslog), and make it so constructed that it 'rewrites' some parameters on the stack. Subsequent routines will then pop these phoney params and off we go... Am I right? Can anybody provide me with more detailed info and perhaps some harmless example (please please please!!!) BTW, I am thinking about a possible bug in programs, that open files R/RW and tell them to be opened across exec()'s. They maybe setuid() in time, but forget to close the file descriptor (hmm). Go check it out! /LK/
It's simple programming from cs 102, really. When you make a function call, your stack looks like this: function parameters from parent return addressing information local variables for current function. It's very easy to see that overwriting local variables trashes the value of others or the stack pointer. Usually this results in harmless crashes. If you're very clever and know the exact size of the local buffer you're trying to overwrite, as well as some memory addressing information, you can attempt to get some form of viral code executing. strcpy(), sprintf(), and other functions that don't do bounds checking are basically evil, especially when combbined with random data pulled in from out of the machine.
Current thread:
- Re: Ray Cromwell: Another Netscape Bug (and possible security mueller_scott (Sep 22)
- <Possible follow-ups>
- Re: Ray Cromwell: Another Netscape Bug (and possible security Howard B Owen (Sep 24)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Leonard Krylov (Sep 27)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Marc W. Mengel (Sep 27)
- Re: your mail Anthony J. Stuckey (Sep 27)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Diego Zamboni (Sep 28)
- Re: livingston.. Rick Weldon (Sep 29)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Diego Zamboni (Sep 28)
- Re: Ray Cromwell: Another Netscape Bug (and possible security T. Jason Ucker (Sep 29)