In article <DF8qC9.4Cw@sgi.sgi.com>, "Vladimir Z. Nuri" <vznuri@netcom.com> writes:
P.M. notes that anywhere there is a data-driven buffer overflow (which he suspects are all over netscape) he can get code to execute anything he wants. this reminds me of the Morris internet worm that ran exactly the same way. it used a bug in the finger demon that caused a string buffer overwrite (via strcpy, instead of strncpy) to execute customized code.
my question: I have not seen the specifics of how this works. does this require specialized knowledge of the native machine language on the host machine? or is it just used to cause something like a core dump to get a command line or something like that?
I question the accuracy of this. The fingerd bug was that a string in the static data area was read in with gets which could be overflowed. At some point in memory after this input buffer was the string constant that stored the name of the finger command. What the Morris work did was to overflow the input buffer and replace the string constant "finger" with "csh". When fingerd then exec'ed the command, that gave you a shell running on the machine. While it is certainly true that you can stomp on memory in static buffers, it's not clear that you can execute whatever code you insert there. If the buffer happens to be allocated off the stack (and the stack grows down) then you can modify the return address. Of course, you have to know the address of whatever code you want to execute. And that code has to do something useful. Presumably, if there are two bugs, one which lets you write over a static buffer and one for a buffer allocated from the stack, then you could execute code of your choosing. Of course, that also assumes that you can execute from the data area which is not always true. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@engr.sgi.com