[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: netscape bug
In article <[email protected]>, "Perry E. Metzger" <[email protected]> writes:
> Tom Weinstein writes:
>> While it is certainly true that you can stomp on memory in static
>> buffers, it's not clear that you can execute whatever code you insert
>> there. If the buffer happens to be allocated off the stack (and the
>> stack grows down) then you can modify the return address. Of course,
>> you have to know the address of whatever code you want to execute.
> Lets say, Mr. Weinstein, that you shove some code onto the stack along
> with the return address, and the address happens to be the code.
I never disputed that it could be done, I was just uncertain as to how
easy it would be. As has been pointed out, it's not nearly as hard as I
thought, assuming you can execute in the stack.
> If you don't believe it can be done, its easy enough to demonstrate it
> on your machines, which I believe suffer from the syslog(3) bug, which
> your company hasn't patched so far as I know, and which afflicts the
> Sendmail daemons you ship with your machines. See the recent 8lgm bug
> report if you want details.
Hmm, could you explain how to exercise this bug? Perhaps a sample
program?
>> Of course, that also assumes that you can execute from the data area
>> which is not always true.
> Its usually true on modern machines -- its very difficult to rig
> things otherwise given the way that lots of the dynamic loading works
> these days.
True.
--
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything. -- Washington DC motto | [email protected]