Scanning Formats (TIFF vs. JPEG)

Don THX1138 at dakotacom.net
Fri Aug 18 13:42:03 CDT 2006


David Holland wrote:
> 
> On Fri, 2006-08-18 at 17:59 +0000, Jules Richardson wrote:
> 
> 
>> As an aside: I've never quite understood these OS image vunerabilities. 
>> Doesn't any modern OS provide sufficient protection such that a process can't 
>> just stomp all over memory at random? Unless the problem is just a Windows 
>> thing...
> 
> 
> No, its more than just a windows thing. 
> 
> Most of the vulnerabilities I've read about (and understood) have been
> of the "trash the stack" sort. 
> 
> You hand off a specially crafted input source (be it an image, a http
> post, or even command line argument. ) 
> 
> That triggers some boundary condition in the routine which replaces the
> proper return address on the machine stack w/ your own specified
> address.   (Which is usually the address of some machine code you
> embedded in your input source.) 
> 
> Upon return from the routine, the process goes to your code, which does
> whatever...

Yes, but if your OS marked data segments as "no execute",
this problem would go away, right?

You would then be forcing the hacker to twiddle the stack in
the hopes of getting some *unintended* portion of *your*
code to execute -- but that code would have to reside in
a loaded TEXT segment (else it would be "no-execute")

Or, is there some *other* way around this that I haven't
anticipated?  :-(

> I've seen them work..The really interesting ones are somewhat difficult
> to come up with, but far from impossible. 




More information about the cctech mailing list