| Next | Classic Unix Security Problems | 25 |
void b (int a) {
char line[50];
gets(line);
...
}
gets reads a line from standard input into line
If line is more than 49 characters long, it writes past the end of line
It may scribble junk onto the stack
The attacker can send this program a long line
The line contains a bunch of binary garbage that is interpreted as machine instructions
In particular, it is calculated to overwrite the return address on the stack
The return address tells b to return into the new instructions
The attacker has just taken control of this process
This strategy was used by the 1988 "Morris Worm"
Attacked fingerd, which used gets
| Next | |
Copyright © 2005 M. J. Dominus |