On Thu, Apr 20, 2000 at 08:37:53PM +0400, Ivan Kokshaysky wrote:
> On Tue, Apr 18, 2000 at 09:42:53AM -0400, Michael H. Warfield wrote:
> > Smash the stack so the function returns back into the system()
> > function with the parameter pointing at that string and it's game over.
> > The attacker now can have as many shells on your system that he wants
> > and you didn't execute a single byte of code on the stack.
> >
> I don't see how this could be exploited on alpha where function takes
> its first 6 arguments from registers not from stack.
Suppose the caller passes stack addresses via registers or the current
function loads registers with stack addresses for whatever reasons
(e.g. other calls). In that case one only has to modify the area which
is pointed to by the register via the buffer overflow mechanism itself.
Of course one needs to know the register contents at that point but
standardized software distributions will help in determining this.
-- Frank- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:19 EST