Bugtraq mailing list archives
Re: Buffer overflow exploit in the alpha linux
From: lamont () ICOPYRIGHT COM (Lamont Granquist)
Date: Mon, 15 Nov 1999 10:57:15 -0800
On Sat, 13 Nov 1999, Taeho Oh wrote:
10. Summary This paper explain the buffer overflow exploit technique in the alpha linux. There are many administrators who doesn't worry about the buffer overflow bug because he(or she) administrates not intel x86 linux but alpha linux. In addition, some people think that the buffer overflow exploit is impossible in the alpha linux. However, it's possible. DON'T BELIEVE THAT BUFFER OVERFLOW EXPLOIT IS IMPOSSIBLE IN THE ALPHA.
This has been known for awhile. In Feb I released exploit code for /usr/bin/mh/inc under Digital Unix 4.0D along with an exploit for "at" for previous version of Digital Unix. This was followed up by finding that Digital Unix 4.0D still suffered from having both of the rdist vulnerabilities that had been reported by CERT in years past, one of which I managed to exploit. More recently Zack Hubert confirmed that Job de Haas's /usr/dt/bin/dtaction buffer overflow was exploitable under Digital Unix. I believe that Digital Unix is now shipping such that it has the executable stack turned off for root by default, and that the latest patches to Digital Unix 4.0D and above impliment this patch (excersize for the student: test this!) To turn this feature on or off either change /etc/sysconfigtab as such: proc: executable_stack = 0 Or use sysconfig to do it: # sysconfig -r proc executable_stack=0 You should then get segfaults on any attempt to run code on the stack as root. This only protects root run or suid root processes, however. Processes running as any other user will still be vulnerable (e.g. daemons running as uid=nobody).
Current thread:
- (no subject) Anonymous (Nov 10)
- (no subject) David R. Conrad (Nov 11)
- Re: CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND Solar Designer (Nov 12)
- Buffer overflow exploit in the alpha linux Taeho Oh (Nov 13)
- Re: Buffer overflow exploit in the alpha linux Lamont Granquist (Nov 15)
- Re: your mail Brian Wellington (Nov 11)
- Re: your mail Alan Brown (Nov 12)
- [ Cobalt ] Security Advisory - Bind Jeff Bilicki (Nov 12)
- Microsoft Security Bulletin (MS99-049) Aleph One (Nov 12)
- Re: your mail Alain Thivillon (Nov 11)
- [w00giving '99 #3, w00news] UnixWare 7's /var/sadm Matt Conover (Nov 11)
- Re: your mail Firstname Lastname (Nov 12)
- (no subject) David R. Conrad (Nov 11)