On Tru64 the stack should be non-exec for processes running as root or running suid root. This was addressed by the following support patch: http://ftp1.support.compaq.com/public/Digital_UNIX/v4.0c/ssrt0583q_40c_bl11.html All of the 5.x versions of Tru64 should have this running by default. And unlike x86 the non-exec protections on the stack appears to mean something. On the alpha chips you pass arguments by register instead of on the stack, so its much more difficult to craft a non-exec-stack buffer overflow exploit. It would be interesting to see if any of these buffer overflows will get you an 0x4141414141414141 when you fire up gdb on the core image. It would also be interesting to see if you could actually make a working exploit. I audited 4.0D a long, long time ago and found a lot of programs that would dump core on the command line, but just doing the 0x41... test with gdb didn't give me any luck (not that these aren't exploitable, but I didn't put any effort into it...) On Wed, 3 Oct 2001, Bob Dog wrote: > This also works for the following on Tru64 5.1; > > $ /usr/dt/bin/dtaction `perl -e 'print "A"x8203'` > Memory fault(coredump) > > $ /usr/dt/bin/dtprintinfo -session `perl -e 'print > "A"x8203'` > Memory fault(coredump) > > All of these; dtterm, dtaction and dtprintinfo > are SUID root by default.
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 16:22:13 PDT