Re: Buffer overflow exploit in the alpha linux

[lamont () ICOPYRIGHT COM (Lamont Granquist)]

On Sat, 13 Nov 1999, Taeho Oh wrote:
> 10. Summary
>  This paper explain the buffer overflow exploit technique in the alpha linux.
> There are many administrators who doesn't worry about the buffer overflow bug
> because he(or she) administrates not intel x86 linux but alpha linux.
> In addition, some people think that the buffer overflow exploit is impossible
> in the alpha linux. However, it's possible.
>  DON'T BELIEVE THAT BUFFER OVERFLOW EXPLOIT IS IMPOSSIBLE IN THE ALPHA.

This has been known for awhile.  In Feb I released exploit code for
/usr/bin/mh/inc under Digital Unix 4.0D along with an exploit for "at" for
previous version of Digital Unix.  This was followed up by finding that
Digital Unix 4.0D still suffered from having both of the rdist
vulnerabilities that had been reported by CERT in years past, one of which
I managed to exploit.  More recently Zack Hubert confirmed that Job de
Haas's /usr/dt/bin/dtaction buffer overflow was exploitable under Digital
Unix.

I believe that Digital Unix is now shipping such that it has the
executable stack turned off for root by default, and that the latest
patches to Digital Unix 4.0D and above impliment this patch (excersize for
the student: test this!)  To turn this feature on or off either change
/etc/sysconfigtab as such:

proc:
        executable_stack = 0

Or use sysconfig to do it:

# sysconfig -r proc executable_stack=0

You should then get segfaults on any attempt to run code on the stack as
root.  This only protects root run or suid root processes, however.
Processes running as any other user will still be vulnerable (e.g. daemons
running as uid=nobody).