[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Investigation Report after Server Compromises

>>>>> "Paul" == Paul Morgan <paulswm@earthlink.net> writes:

    Paul> With regard to your question 3, a buffer overflow exploit is
    Paul> always a stack exploit and is designed to execute arbitrary code
    Paul> with the called program's privilege.

But this time it is an "integer overflow", not a "buffer overflow".  The
idea is that when brk() is called, the kernel forgot to check whether this
will result into the memory map pasting the end of address space used for
the processes.  The problem is that after pasting the end of the address
space, it starts to be the kernel space, mapping all the physical memory of
the computer directly.  I.e., it includes all the memory of the kernel and
also all the memory of all other processes.  Once you get to this point, it
just requires a little bit more imagination before you can write to all the
memory of the computer directly, skipping all the protection mechanism of
the kernel.

Regards,
Isaac.
Reply to: