Re: Debian Investigation Report after Server Compromises
>>>>> "Isaac" == Isaac To <kkto@csis.hku.hk> writes:
>>>>> "Paul" == Paul Morgan <paulswm@earthlink.net> writes:
Paul> With regard to your question 3, a buffer overflow exploit is
Paul> always a stack exploit and is designed to execute arbitrary code
Paul> with the called program's privilege.
Isaac> But this time it is an "integer overflow", not a "buffer
Isaac> overflow". The idea is that when brk() is called, the kernel
Isaac> forgot to check whether this will result into the memory map
Isaac> pasting the end of address space used for the processes. The
Isaac> problem is that after pasting the end of the address space, it
Isaac> starts to be the kernel space, mapping all the physical memory of
Isaac> the computer directly. I.e., it includes all the memory of the
Isaac> kernel and also all the memory of all other processes. Once you
Isaac> get to this point, it just requires a little bit more imagination
Isaac> before you can write to all the memory of the computer directly,
Isaac> skipping all the protection mechanism of the kernel.
All the "pasting" should really be "passing"... stupid me non-native English
speaker...
Regards,
Isaac.
Reply to: