>>>>> "ks" == Kurt Seifried <bugtraqat_private> writes: >> If I disable stack execution in Solaris 6 and 8, am I still >> vulnerable to the SNMP vulnerability. Cert makes a comment to this >> but it isn't clear. Either it stops stack smashing or it doesn't. >> Any information would be appreciated. ks> It stops some stack smashing, but not all. In Linux for example even with ks> Solar Designer's OpenWall kernel patch, ImmunixOS addons and the like it's ks> still possible to smash the stack. This is a UNIX security problem, not an SNMP specific problem. The classic buffer overflow/stack smash attack stuffs too much data into a buffer that's stored in an automatic variable (on the stack). This overflows the stack frame pointer, the return address, and some data beyond. So the trick is to stuff the buffer such that the return address points to another part of the buffer, that contains your freshly uploaded shell code. If you stuff the buffer with random data, you send the program off to a random location, where it crashes in confusion. This is what many of the Oulu packets do. Setting the stack pages to no-exec in the memory mapping hardware prevents the processor from jumping parts of the stack, and executing from there. However, the heap is still executable, as are other areas of memory. Using share libraries, or combining this stack smashing attack with a heap overflow, the system is still vulnerable. The attacker would pre-load the shellcode into some heap variable, and then smash the stack, and have the processor return to that variable. This is harder to do, but not impossible. And since it takes one smart hacker and a million idiots... You'll always be able to crash it, regardless of the setting of no-exec-stack. There's not much you can do to protect the return value on the stack (bounds checking, but if you did that, you wouldn't be vulnerable in the first place). no-exec-stack will just prevent the attacker from running shellcode in the stack. You are still vulnerable to DoS. You are less vulnerable to remote root. Enable no-exec-stack, and patch now. ericb -- Eric Brandwine | Failing organizations are usually over-managed and UUNetwork Security | under-led. ericbat_private | +1 703 886 6038 | - Warren G. Bennis Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 14:44:33 PST