mailing list archives
Re: announcing PaX
From: Marc Esipovich <marc () CORKY NET>
Date: Thu, 2 Nov 2000 05:18:07 +0200
.------[ Dylan Griffiths wrote (Mon, Oct 30, 2000 at 12:19:30PM -0600) ]------
| Voila. You didn't have to write any code, the _only_ thing you needed to
| know was where the library is loaded by default. And yes, it's
| library-specific, but hey, you just select one specific commonly used
| version to crash.
| Suddenly you have a root shell on the system.
| So it's not only doable, it's fairly trivial to do.
| In short, anybody who thinks that the non-executable stack gives them any
| real security is very very much living in a dream world. It may catch a
| few attacks for old binaries that have security problems, but the basic
| problem is that the binaries allow you to overwrite their stacks. And if
| they allow that, then they allow the above exploit. "
| And, let's not forget, this has been done before in Solar Designer's patch
| for Linux ( http://www.openwall.com/linux/ )
| " Non-executable user stack area
This thing is very much different from Solar Designer's non-exec-*stack*
patch, this thing gives you the power to set a *real* non-exec protection
on any region of memory, let it be defined as stack, heap or data, basically
anything that's non-code can be non-executable too.
Workarounds for GCC trampolines, signal handlers and related issues are of
course needed, since most of the areas are now made non-executable.
Like others have noted, it is still possible to exploit buffer overruns,
however, it becomes more difficult.
Again, this is *not* a non-exec stack patch, it does a lot more than that,
read the document provided by the authors.
marc @ corky.net
fingerprint = D1F0 5689 967F B87A 98EB C64D 256A D6BF 80DE 6D3C
\ / ASCII Ribbon Campaign
X Against HTML Mail