Bugtraq mailing list archives
Re: announcing PaX
From: Marc Esipovich <marc () CORKY NET>
Date: Thu, 2 Nov 2000 05:18:07 +0200
.------[ Dylan Griffiths wrote (Mon, Oct 30, 2000 at 12:19:30PM -0600) ]------ | | Voila. You didn't have to write any code, the _only_ thing you needed to | know was where the library is loaded by default. And yes, it's | library-specific, but hey, you just select one specific commonly used | version to crash. | | Suddenly you have a root shell on the system. | | So it's not only doable, it's fairly trivial to do. | | In short, anybody who thinks that the non-executable stack gives them any | real security is very very much living in a dream world. It may catch a | few attacks for old binaries that have security problems, but the basic | problem is that the binaries allow you to overwrite their stacks. And if | they allow that, then they allow the above exploit. " | | And, let's not forget, this has been done before in Solar Designer's patch | for Linux ( http://www.openwall.com/linux/ ) | " Non-executable user stack area `------------------------------------------------- This thing is very much different from Solar Designer's non-exec-*stack* patch, this thing gives you the power to set a *real* non-exec protection on any region of memory, let it be defined as stack, heap or data, basically anything that's non-code can be non-executable too. Workarounds for GCC trampolines, signal handlers and related issues are of course needed, since most of the areas are now made non-executable. Like others have noted, it is still possible to exploit buffer overruns, however, it becomes more difficult. Again, this is *not* a non-exec stack patch, it does a lot more than that, read the document provided by the authors. bye, Marc. -- marc @ corky.net fingerprint = D1F0 5689 967F B87A 98EB C64D 256A D6BF 80DE 6D3C /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \
Current thread:
- Re: announcing PaX Dylan Griffiths (Nov 03)
- Re: announcing PaX Marc Esipovich (Nov 03)