Bugtraq mailing list archives
Re: resend
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 7 Aug 1998 21:37:21 +0200
No one worried much about stack-smashing in those days. It would have been a difficult attack, though, since the stack grew up, and local variables would have been allocated after the save area. (While the current routine's save area didn't have the actual return address, by convention it had a back-pointer to the previous save area at a fixed offset from the start of the area. The attack would have involved creating a bogus save area with register 14 pointing to the new code, then smashing the back pointer in the current save area.)
I don't think stacks growing upward help; remember that most exploits in C involve on eof the unbounded copy routines and that those overwrite the invocation record of the function calling sprintf/str* etc. (Or one level deeper as on SPARC). When the stack grows up, sprintf/str* will overwrite their own invocation record/return address. So it's actually easier as there's no code executed between the return from str*/sprintf , instead those function return directly to the exploit code. Casper
Current thread:
- Re: Object tag crashes Internet Explorer 4.0, (continued)
- Re: Object tag crashes Internet Explorer 4.0 Kragen (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Pavel Kankovsky (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 David Damerell (Aug 06)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Jeremiah Rothschild (Aug 10)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Scott Stone (Aug 10)
- Network Associates Inc. Advisory (OpenBSD) Security Research Labs (Aug 10)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Object tag crashes Internet Explorer 4.0 Alan Cox (Aug 07)
- Description of the Eudora Security Hole Aleph One (Aug 07)
- resend Steve Bellovin (Aug 06)
- Re: resend Casper Dik (Aug 07)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Joe (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 06)
- Re: Object tag crashes Internet Explorer 4.0 Roger Espel Llima (Aug 06)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 06)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 06)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 06)
- Re: Object tag crashes Internet Explorer 4.0 Florian Weimer (Aug 08)
