Re: Debian Investigation Report after Server Compromises

[Isaac To <kkto@csis.hku.hk>]

>>>>> "Isaac" == Isaac To <kkto@csis.hku.hk> writes:

>>>>> "Paul" == Paul Morgan <paulswm@earthlink.net> writes:
    Paul> With regard to your question 3, a buffer overflow exploit is
    Paul> always a stack exploit and is designed to execute arbitrary code
    Paul> with the called program's privilege.

    Isaac> But this time it is an "integer overflow", not a "buffer
    Isaac> overflow".  The idea is that when brk() is called, the kernel
    Isaac> forgot to check whether this will result into the memory map
    Isaac> pasting the end of address space used for the processes.  The
    Isaac> problem is that after pasting the end of the address space, it
    Isaac> starts to be the kernel space, mapping all the physical memory of
    Isaac> the computer directly.  I.e., it includes all the memory of the
    Isaac> kernel and also all the memory of all other processes.  Once you
    Isaac> get to this point, it just requires a little bit more imagination
    Isaac> before you can write to all the memory of the computer directly,
    Isaac> skipping all the protection mechanism of the kernel.

All the "pasting" should really be "passing"... stupid me non-native English
speaker...

Regards,
Isaac.