[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-executable stack (via PT_GNU_STACK) not being enforced

In this case, the target of my clobbered return address is on the stack (in the stack local character buffer), so this is exactly what NX/XD is intended to prevent.

-----Original Message-----
From: Michael Loftis <mloftis@wgops.com>
To: debian-security@lists.debian.org
Sent: Sun, Oct 10, 2010 1:08 pm
Subject: Re: non-executable stack (via PT_GNU_STACK) not being enforced

--On Sunday, October 10, 2010 9:53 AM -0400 Brchk05 <brchk05@aim.com> wrote: 

> I am running Debian 2.6.26-21lenny4 and I am puzzled by an issue with the 
> enforcement of page permissions. I have written a simple program with a 
> basic buffer overflow and compiled two versions using gcc: one with -z 
> execstack and another with -z noexecstack. 

I could be wrong as I haven't looked at the whole NX/XD thing in detail, been a while since I've actively done anything of the sort, but, it would seem to me smashing is not the same as executing on the stack necessarily. Overwriting/changing returns on the stack via a smash, or clobbering code via a smash won't be affected by non executable stack, since that's just changing stack variables, now if your code section is also non-writable, and your heap is non-executable, you're further protected but you can still do a return to libc attack. Wikipedia talks about this <http://en.wikipedia.org/wiki/Stack_buffer_overflow#Nonexecutable_stack
-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org 
Archive: http://lists.debian.org/2CCC3B7FE7647C824EB6F067@[

Reply to: