Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds
Brandon S. Allbery KF8NH (
Tue, 04 Aug 1998 21:23:03 -0300
In message <>,
| On Wed, 5 Aug 1998, Geert Uytterhoeven wrote:
| > On Tue, 4 Aug 1998 wrote:
| > > As for changing the address to someplace in libc, couldn't we relocated
| > > all libs so that they have a null byte in their address?
| > What are you trying to achieve with this? Sorry, I don't get it.
| The copy routines that people exploit copy null terminated strings. So the
| exploiter must make their exploit code void of null characters, because
| sending one will stop the copy. If you make it tougher to form a pointer
| to that 'bad' functions without using null characters then it makes their
| job harder.
So they do two copies instead of one, with the second placing the NUL where
it's wanted. I see no major improvement here.
