Re: [linux-security] Linux NetKit-B update.

[aleph1 () UNDERGROUND ORG (Aleph One)]

From: Casper Dik <casper () holland Sun COM>


> > 6. Buffer overflow in ping mentioned yesterday, but it's not on the
> > stack and consequently probably not exploitable. Patch: use snprintf.
>
> Stack vs. heap is irrelevant.  The V6 'login' overrun bug was in data
> space, rather than on the stack, and it gave a very nice way to log in
> as root.

It *is* relevant.  Overflows on teh stack can almost always be
exploited as you can put some code on teh stack and make the system return there.

When you overflow the data segment you have no control over the return
statement an dputting code there is no helpful.  In some circumstances,
however, there just happen to be intersesting variables in the datasegment
after the buffer you can overflow.

Both the V6 login and one of the (many) rdist bugs are examples of data
layout that can be abused.

> No, I don't remember the exact character string to enter ...    ;-)


I'm pretty sure it was something like "password<encrypted password string>"

Casper