From: tomw@orac.engr.sgi.com (Tom Weinstein)
To: cypherpunks@toad.com
Message Hash: 00901adc03d841f0d4b1ec0673fc4b565a1092ec5c55586fae9c70f111579add
Message ID: <199509212242.PAA04533@orac.engr.sgi.com>
Reply To: N/A
UTC Datetime: 1995-09-21 22:42:57 UTC
Raw Date: Thu, 21 Sep 95 15:42:57 PDT
From: tomw@orac.engr.sgi.com (Tom Weinstein)
Date: Thu, 21 Sep 95 15:42:57 PDT
To: cypherpunks@toad.com
Subject: netscape bug
Message-ID: <199509212242.PAA04533@orac.engr.sgi.com>
MIME-Version: 1.0
Content-Type: text/plain
In article <DF8qC9.4Cw@sgi.sgi.com>, "Vladimir Z. Nuri" <vznuri@netcom.com> writes:
> P.M. notes that anywhere there is a data-driven buffer overflow (which
> he suspects are all over netscape) he can get code to execute anything
> he wants. this reminds me of the
> Morris internet worm that ran exactly the same way. it used a
> bug in the finger demon that caused a string buffer overwrite
> (via strcpy, instead of strncpy) to execute customized code.
> my question: I have not seen the specifics of how this works. does
> this require specialized knowledge of the native machine language on the
> host machine? or is it just used to cause something like a core dump
> to get a command line or something like that?
I question the accuracy of this. The fingerd bug was that a string in
the static data area was read in with gets which could be overflowed.
At some point in memory after this input buffer was the string constant
that stored the name of the finger command. What the Morris work did
was to overflow the input buffer and replace the string constant
"finger" with "csh". When fingerd then exec'ed the command, that gave
you a shell running on the machine.
While it is certainly true that you can stomp on memory in static
buffers, it's not clear that you can execute whatever code you insert
there. If the buffer happens to be allocated off the stack (and the
stack grows down) then you can modify the return address. Of course,
you have to know the address of whatever code you want to execute. And
that code has to do something useful. Presumably, if there are two
bugs, one which lets you write over a static buffer and one for a buffer
allocated from the stack, then you could execute code of your choosing.
Of course, that also assumes that you can execute from the data area
which is not always true.
--
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything. -- Washington DC motto | tomw@engr.sgi.com
Return to September 1995
Return to “tomw@orac.engr.sgi.com (Tom Weinstein)”