lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue Apr 12 22:45:34 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: linux bugs (survival stories)? 

On Tue, 12 Apr 2005 21:20:03 -0000, Eduardo Tongson said:

> Stuff like for example circumventing noexec flags on mounted filesystems 
> still is trivial even with the latest and development versions of the
> linux kernel

"like for example" is always a bad way to discuss things, because it's
unclear what exactly you're talking about. ;)

Now, going with specifics...  The last really big "trivial" issue with
bypassing noexec on mounted filesystems was closed by a patch from Ulrich
Drepper in 2.6.0 - basically forcing you to mmap() the binary in and then
mprotect() it to add the exec flag.  And at *that* point, it gets ugly, because
even if you stop them from calling mprotect() to get it executable, they can
still use some variant of "unexec()" (see the Emacs/XEmacs source tree) to dump
it out, twiddle the headers, and then exec() it off some other file system.

So what specific issue with noexec are *you* thinking of, and what is your
proposed fix for it?




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050412/e70af7c7/attachment.bin

Powered by blists - more mailing lists