Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263638AbTEDPgQ (ORCPT ); Sun, 4 May 2003 11:36:16 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263639AbTEDPgQ (ORCPT ); Sun, 4 May 2003 11:36:16 -0400 Received: from ns.suse.de ([213.95.15.193]:53260 "EHLO Cantor.suse.de") by vger.kernel.org with ESMTP id S263638AbTEDPgL (ORCPT ); Sun, 4 May 2003 11:36:11 -0400 To: Ingo Molnar Cc: linux-kernel@vger.kernel.org Subject: Re: [Announcement] "Exec Shield", new Linux security feature References: From: Andi Kleen Date: 04 May 2003 17:48:39 +0200 In-Reply-To: Message-ID: User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 563 Lines: 12 Ingo Molnar writes: > > ie. if the binary anywhere has code that does: > > system("/bin/sh") You just need system(char *arg) { ... } (= in every libc). Then put /bin/sh somewhere and a pointer to it on the stack as argument and overwrite some return address on the stack to jump to it. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/