[LWN Logo]

Date:	Tue, 4 Aug 1998 14:35:14 -0700 (PDT)
From:	Linus Torvalds <torvalds@transmeta.com>
To:	Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds

On Tue, 4 Aug 1998, Alan Cox wrote:
> Its actually very hard to get anything beyond a denial of service attack
> via libc vectors. Its doable

It's _really_ easy. You do something like this:
 - overflow the buffer on the stack, so that the return value is
   overwritten by a pointer to the "system()" library function.
 - the next four bytes are crap (a "return pointer" for the system call,
   which you don't care about)
 - the next four bytes are a pointer to some random place in the shared
   library again that contains the string "/bin/sh" (and yes, just do a
   strings on the thing and you'll find it).

Voila. You didn't have to write any code, the _only_ thing you needed to
know was where the library is loaded by default. And yes, it's
library-specific, but hey, you just select one specific commonly used
version to crash. 

Suddenly you have a root shell on the system.

So it's not only doable, it's fairly trivial to do. 

In short, anybody who thinks that the non-executable stack gives them any
real security is very very much living in a dream world. It may catch a
few attacks for old binaries that have security problems, but the basic
problem is that the binaries allow you to overwrite their stacks. And if
they allow that, then they allow the above exploit. 

It probably takes all of five lines of changes to some existing exploit,
and some random program to find out where in the address space the shared
libraries tend to be loaded. 


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html