Re: your mail

[stuckey () mrcnext cso uiuc edu (Anthony J. Stuckey)]

> Hey folks, I need to know about this 'stack overwriting thing'
> thet is so lively discussed. As I understand it (and correct me
> if I'm wrong), the point is to pass in data to a non-bound
> checking routine (like syslog), and make it so constructed
> that it 'rewrites' some parameters on the stack.
> Subsequent routines will then pop these phoney params and
> off we go...
> Am I right? Can anybody provide me with more detailed info
> and perhaps some harmless example (please please please!!!)
>
> BTW, I am thinking about a possible bug in programs, that open
> files R/RW and tell them to be opened across exec()'s. They maybe
> setuid() in time, but forget to close the file descriptor (hmm).
> Go check it out!
> /LK/

        It's simple programming from cs 102, really.

        When you make a function call, your stack looks like this:

        function parameters from parent
        return addressing information
        local variables for current function.

        It's very easy to see that overwriting local variables trashes the value
of others or the stack pointer.  Usually this results in harmless crashes.
If you're very clever and know the exact size of the local buffer you're
trying to overwrite, as well as some memory addressing information, you can
attempt to get some form of viral code executing.

        strcpy(), sprintf(), and other functions that don't do bounds checking
are basically evil, especially when combbined with random data pulled in
from out of the machine.