1995-09-22 - Re: netscape bug

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: tomw@cthulhu.engr.sgi.com
Message Hash: e37b3c2972118f59e43bb71523957ef6b41ee5c498f11f2d6355570b260cc1dc
Message ID: <199509220443.AAA02254@frankenstein.piermont.com>
Reply To: <199509212242.PAA04533@orac.engr.sgi.com>
UTC Datetime: 1995-09-22 04:43:51 UTC
Raw Date: Thu, 21 Sep 95 21:43:51 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 21 Sep 95 21:43:51 PDT
To: tomw@cthulhu.engr.sgi.com
Subject: Re: netscape bug
In-Reply-To: <199509212242.PAA04533@orac.engr.sgi.com>
Message-ID: <199509220443.AAA02254@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain

Tom Weinstein writes:
> While it is certainly true that you can stomp on memory in static
> buffers, it's not clear that you can execute whatever code you insert
> there.  If the buffer happens to be allocated off the stack (and the
> stack grows down) then you can modify the return address.  Of course,
> you have to know the address of whatever code you want to execute.

Lets say, Mr. Weinstein, that you shove some code onto the stack along
with the return address, and the address happens to be the code.

If you don't believe it can be done, its easy enough to demonstrate it
on your machines, which I believe suffer from the syslog(3) bug, which
your company hasn't patched so far as I know, and which afflicts the
Sendmail daemons you ship with your machines. See the recent 8lgm bug
report if you want details.

> Of course, that also assumes that you can execute from the data area
> which is not always true.

Its usually true on modern machines -- its very difficult to rig
things otherwise given the way that lots of the dynamic loading works
these days.