> Hello!
>
> Well, there's a similar idea which I already implemented, and which I like
> better (since people need characters like 0xab allowed).
>
> It is to map libc at 0x00001000+ so there's always a zero byte in the
> address. That way it's not possible to pass any parameters to the function
> being called, since in most cases you have to overflow with an ASCIIZ string.
> And even if there's a suitable function with no parameters, you would have to
> overwrite the return address only, not fill with a pattern (unfortunately
> x86s are little endian, so the address itself can be put in ASCIIZ; it will
> terminate the string though).
>
> Here goes a dirty kernel patch for mmap(), use it in addition to my
> non-executable stack patch. Warning: this is x86-only, I should make a
> #define in some architecture-specific includes in the real patch instead.
>
Hey... I like the non-exec/and libcremap patch.. There have been alot of
arguments against them.. One of them is that some people feel this will
give people a false sence of security.. One could make the same clame
about firewalls and packet filters.. This discussion could go on ad
infinitum... The fact is that in the real world there are uninformed and
careless admins who will not protect themselves and there are sharp minded
people who will.. These patches will give the informed more resitance to
mistake and give the unformed silent protection against some attacks.. If
we can limit attacks in any way as long as it doesn't hurt performance
then we've done something good.. If it's a compile time option then who
can complain... Although it only works on x86, that should not prohibit
it's inclusion as it is not a part of the fundimental design of linux..
So to further show my support of these measures I offer $20 (minus
whatever cost it takes me to get it to you) to the first person to email
root@nightshade.ml.org with:
1) A buffer overflow exploit that works on any revision of any normal
distribution of linux (i.e. slackware/debian/redhat/caldera) that has had
both these patches applied properly and configured properly. The exploit
must be able to give someone with normal user access a root shell.
and
2) A normal program that this patch breaks along with an explination of
why it breaks them. Programs which use VM86 do not apply (dosemu). The
program must be available (either commertial or pref. ftp able) (i.e. it
cannot be something designed for the sole reason of dying with this patch.
Furthermore the program cannot be 86 specifit (a person with the source
could compile it on an alpha or other linux running platform without
modification).
Note, this offer expires one month from this date or if these patches are
included as a kernel option.
Anyone finding a kernel level solution to fixing VM86 stuff while still
keeping the second patch's funcionatlity will win the applause of the
mailing list (but no money, I'd prefer to keep my money). :) Userspace
patches (i.e. dosemu mods) would not be so nice..
> Signed,
> Solar Designer
Sincerly,
Gregory Maxwell