* Possible exploit potential in dosemu.
@ 2006-10-19 11:27 James Courtier-Dutton
2006-10-23 12:31 ` Bart Oldeman
0 siblings, 1 reply; 3+ messages in thread
From: James Courtier-Dutton @ 2006-10-19 11:27 UTC (permalink / raw)
To: linux-msdos
The dosemu binary has a rwx stack segment, so this means that
instructions can be placed on the stack and executed.
This makes it a lot easier to exploit than in the stack was rw-
This is detected with the following tool:
/src/dosemu-1.3.3 $ scanelf -Req *
RWX --- --- 1.3.3.0/bin/dosemu.bin
!WX --- --- src/env/video/remap_asm.o
!WX --- --- src/env/video/vesabios_pm.o
What this means is that the dosemu.bin file is RWX stack.
The source objects src/env/video/remap_asm.o and
src/env/video/vesabios_pm.o cause this.
Please refer to the following URL for an explanation.
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
I think option (3) is the cause, and can be fixed by adding the
following to the end of the two source files:
#ifdef __ELF__
.section .note.GNU-stack,"",%progbits
#endif
This will indicate to the gnu assembler that an executable stack is not
required.
I hope this helps
Kind Regards
James
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Possible exploit potential in dosemu.
2006-10-19 11:27 Possible exploit potential in dosemu James Courtier-Dutton
@ 2006-10-23 12:31 ` Bart Oldeman
2006-10-23 15:52 ` James Courtier-Dutton
0 siblings, 1 reply; 3+ messages in thread
From: Bart Oldeman @ 2006-10-23 12:31 UTC (permalink / raw)
To: James Courtier-Dutton; +Cc: linux-msdos
On 10/19/06, James Courtier-Dutton <James@superbug.co.uk> wrote:
> The dosemu binary has a rwx stack segment, so this means that
> instructions can be placed on the stack and executed.
> This makes it a lot easier to exploit than in the stack was rw-
>
> The source objects src/env/video/remap_asm.o and
> src/env/video/vesabios_pm.o cause this.
There were actually a few other files too, namely the 16bit bios.o and
vesabios.o files; those were not found by the tool you referred too.
Not surprisingly because they were linked in a strange way.
It's been corrected in SVN changes 1622 and 1623.
Thanks,
Bart
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Possible exploit potential in dosemu.
2006-10-23 12:31 ` Bart Oldeman
@ 2006-10-23 15:52 ` James Courtier-Dutton
0 siblings, 0 replies; 3+ messages in thread
From: James Courtier-Dutton @ 2006-10-23 15:52 UTC (permalink / raw)
To: Bart Oldeman; +Cc: linux-msdos
Bart Oldeman wrote:
> On 10/19/06, James Courtier-Dutton <James@superbug.co.uk> wrote:
>> The dosemu binary has a rwx stack segment, so this means that
>> instructions can be placed on the stack and executed.
>> This makes it a lot easier to exploit than in the stack was rw-
>>
>> The source objects src/env/video/remap_asm.o and
>> src/env/video/vesabios_pm.o cause this.
>
> There were actually a few other files too, namely the 16bit bios.o and
> vesabios.o files; those were not found by the tool you referred too.
> Not surprisingly because they were linked in a strange way.
>
> It's been corrected in SVN changes 1622 and 1623.
>
> Thanks,
> Bart
Thank you. It is an easy thing to fix, and makes it considerably more
difficult for a cracker to develop and exploit.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-10-23 15:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-19 11:27 Possible exploit potential in dosemu James Courtier-Dutton
2006-10-23 12:31 ` Bart Oldeman
2006-10-23 15:52 ` James Courtier-Dutton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox