question on buffer overflow (was RE: Extreme Hacking)

["Choi, Byoung" <bchoi () visa com>]

> i have a dumb question:
>
> a local buffer can be overflown to overwrite the thread's stack (if the
> code doesn't check for the EOB).  overwriting the stack can change the
> flow of the code, and possibly redirect it to rogue code inserted.
>
> but what's the "typical" (if there is one) technique?  it all seems rather
> precarious:
> the rogue code is platform-dependent (machine code, etc.)
> the exploit must anticipate the stack frame location where it will get
> overwritten so that
> 1. the address depedence of the rogue code is satisfied
> 2. control flow is correctly redirected to the rogue code.
>
> am i in the ball park?
>
> i would appreciate it if someone can enlighten me.
>
> byoung
>
> ----------
> From:         Stephen P. Berry[SMTP:spb () incyte com]
> Reply To:     Stephen P. Berry
> Sent:         Tuesday, July 06, 1999 4:59 PM
> To:   Marcus J. Ranum
> Cc:   Kunz, Peter; firewall-wizards () nfr net; spb () incyte com
> Subject:      Re: Extreme Hacking 
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> In message <3.0.6.32.19990705162655.007ce960 () mail clark net>, 
> "Marcus J. Ranum" writes:
>
> > A number of "reputable" security companies develop their
> > own hacking techniques. I'm not sure what the justification
> > is -- other than that it just comes naturally, since they
> > tend to hire "ex-"hackers. It'd be unrealistic to expect
> > those guys to stop thinking in terms of how systems are
> > broken into, and to shift their thought-patterns into thinking
> > about how to keep systems secure.
>
> I'm not sure that the two are necessarily entirely distinct.  I know I 
> wouldn't rely on a cryptosystem that wasn't designed by or at least 
> reviewed by one or more competent cryptoanalysists.  Or rely on code
> written
> by someone unfamiliar with what a buffer overflow is or how it is
> exploited[1].
>
> The fundamental problem I see in general is a focus on teaching
> implimentation over theory.
>
> The vast majority of hacking (for this sense of `hacking') involves
> dicking
> around with implimentation problems.  That's fine as far as that goes---in
> security, all the implimentation warts and technicalities count.  The
> problem is that being able to break things (even very proficiently)
> doesn't necessarily make you any better prepared for fixing them...or
> even preventing other people from breaking them.
>
> Theory can.  So I suspect that most employers would be better served
> by sending their security drones off to a `TCP/IP For Simpering Cretins'
> class or something similar, rather than something ostensibly teaching
> hacking techniques.
>
> Mod:  I have grave reservations about the n hour one-shot course as a
> pedagogical tool for teaching security practises in general.  I think the
> apprentice/journeyman/master system would be more appropriate.
>
>
>
> > Here's a thought: when one of us gets broken into using one
> > of the secret new techniques that E&Y is teaching, let's
> > sue E&Y for developing it and disclosing it irresponsibly.
> > They've got deep pockets.
>
> The deep pockets are presumably why Ernst and Young would make a
> more attractive target for annoyance litigation than, say, Richard
> Stevens or Linus Torvalds (for example)...both of whom have probably
> taught
> more bad guys how to commit Evil Deeds than Ernst and Young ever will[2].
>
> Random aside:  At least they didn't call it `Xtreme hacking' or
> something even goofier like that[3].
>
>
>
>
>
>
>
>
> - -Steve
>
> - -----
> 1     Mod if it's code to be used on a 370 or some such goddamn thing.
> 2     Not to mention bugtraq or any of a number of other public
>       full-disclosure lists.
> 3     I wonder if the course materials have been run through a warez d00dz
>       filter.  
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBN4KYNirw2ePTkM9BAQGmxgP+Khs645RwclqFYbjZPB5rQidxzPO0VliV
> J2OslwhX8dI+TsZCvoBN0UxbtT6Kw45meh/tMT2yZUB2FihxiDe4n3fq0ie7ksu3
> UZfL1fNAwgn5U2FGnhCtMCPK/Pp0tB4TzvMrftoA+gSQwtjVY0XbBy24q2DmzJFC
> RZxxd203DMY=
> =Pze1
> -----END PGP SIGNATURE-----