CERT Advisory CA-2001-16

[rlk at alum.mit.edu (Robert L Krawitz)]

   From: Chris Janicki <Janicki at ia-inc.com>
   Date: Wed, 04 Jul 2001 01:11:20 GMT

   Rookie question: How is it possible for a buffer overflow to allow
   access?  Does the overflow automatically provide a shell?  Or does
   it put the process in some debugging mode with remote privileges?

The overflow overwrites some area of memory that's being used for
another purpose.  If the buffer is on the stack, a typical attack
would be to fill it with a sequence of instructions that amount to

  exec("/bin/sh");

and then continue on to overwrite the return address of the current
stack frame to point to the buffer.  When the current call returns, it
will "return" to the address of the buffer, and start executing code
there.  There are a lot of variations depending upon exactly where the
buffer is and so forth.  If the buffer is on the heap or in the static
data region, the attack will have to be done a bit differently.  It
has to be crafted for the individual vulnerability.

-- 
Robert Krawitz <rlk at alum.mit.edu>      http://www.tiac.net/users/rlk/

Tall Clubs International  --  http://www.tall.org/ or 1-888-IM-TALL-2
Member of the League for Programming Freedom -- mail lpf at uunet.uu.net
Project lead for Gimp Print/stp --  http://gimp-print.sourceforge.net

"Linux doesn't dictate how I work, I dictate how Linux works."
--Eric Crampton
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).