Suppose smtp was modified by version + 1 to include the following in the the negotiation process:
USER user PASSWORD password AUTHENTICATE user@emaildomain.com
Before the SMTP server responds to the authenticate, it contacts emaildomain.com (as part of version + 1 protocol) and inquires about the sender user. From there, several interesting thing can happen. The server at emaildomain.com can do an email name query cache to determine if a user is being used abnormally. Hundreds, thousands of hits per second, etc. The server at emaildomain.com can report several types of errors (too many queries, not a valid user, suspected spammer, etc). If an authoritative ISP list existed where every ISP that hosts email must register in that international ISP database, any legit SMTP server could cross reference the senders ISP domain or address, thus not any joe monkey can set up a fly-by-night SMTP server that would accept or authenticate delivery. Each ISP can also have an email address database of black lists, white lists, etc virtualized for each address. Before proceeding with the AUTHENTICATE request, the sender email address is compared against that list, the sender credentials and the senders isp credentials are all verified. If the SMTP server doesn't like any of those tests, it can reject the connection outright, based on preferences the owner of that email address dictates.
Despite any pipe dream from the likes of bill gates, there is a reason why cellphones are primarily cellphones and why mp3 players are primarily mp3 players and why PDAs are primarily PDAs.
The current technology to store even 256 meg of mp3s or similarly compressed audio would either displace other vital cellphone components or would make the phone that much bulkier. If I want to go jogging or hiking, the last thing I want is a large phone bulging from my pocket or strapped to my waist. I want something as small and as light as possible that can be worn around an armband that won't interfere with my activity. If I'm out hiking all weekend, I want a whole lot more than 2 or 3 hours of music, I'll want an entire weekends worth, which means a minimum of 1 gig. Unless there's been a revolution in flash memory technology lately, a 2 gig or 4 gig flash drive or even adding a mini harddrive to a cellphone would make it so bulky it would seem like the first cellphones of the 80s.
To bulk up a phone just for that is both impractical and combersome. Besides not everyone wants (I for one don't want) a cellphone that can play mp3s, play tv, surf the web, etc. I'd want the device to do one thing and to do it well. If I want to listen to music, I'll take along an mp3 player or a radio or whatever. While a swiss army knife on the surface might appear to be practical, who would actually prefer it over a small toolbox of dedicated tools for day to day activities? It might be useful for camping or hiking when bulk is bad, but if you had a toolbox of screwdrivers and knives, would you not rather reach for the separate screwdriver?
To me there will always be one right tool for the job. Keep the phone as a bloody phone and the mp3 player as a separate mp3 player damn it.
No, you're confusing that with AOL. It's more like paper clippy to the rescue:
Malware has been detected on your computer. What would you like to do about it?
* Learn more about the threat
* Learn more about getting rid of the threat
* Run an antivirus utility now
* Send a report to microsoft
Am I the only one that cringes anytime I see access and database in the same sentence?
What is more deserving of your cringing? The two words 'access' and 'database' in the same sentence or actually using access (snicker)database(snicker)?
I was fortunate enough to write a program (front end) to a real database (ok perhaps more real than access) MySQL. If I want to cough a furball, I'll go back to the old access records. It's disgusting just thinking about access.
He's an imposter! A bad one at that. This has got to be microsoft FUD designed to scare people away from free solutions and back to their lovely products......(Microsoft Access-like database management program?)
Don't believe any of it. MS fud machine must have been freshly greased just for this one.
A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.
......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.
The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.
The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.
Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.
Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.
Did it occur to you that the sequence JMP ESP could be there by pure accident?
Finally. Thank you for that lucid statement. I understand your point. Just so you know, it did not occur to me that that instruction might have accidentally found its way into memory, thus I didn't see how it could realistically happen.
Next time, you might have tried something like this from the beginning instead of assuming my IQ was so low I couldn't outwit a boiled cabbage:
1 - JMP ESP is a currently valid CPU instruction that should never have been added to the CPUs instruction set
2 - The 2 byte opcode for the JMP ESP instuction can occur by accident (part of an initialized data segment block or span two valid instructions)
3 - Find the offset of that invalid instruction and overflow the stack so the address of that instruction aligns with the return instruction of the current function
4 - Immediately following that return address as part of your overflow buffer data, place your exploit code.
5 - celebrate your successful buffer overflow.
Instead, you focused on the fact that I couldn't understand the mechanics behind it. I did understand the mechanics behind it. The universe has chosen NOT to reveal the specifics as to how that technically invalid command might have gotten there in the first place.
Just because people are doing it, does that make it right? Does that mean it's right for me to go around killing people if jeffery dahmer or ted bundy killed all them people?
JMP ESP is an instruction that resumes execution on the stack. The stack is NOT SUPPOSED to contain valid code. PERIOD. Even if it is a valid CPU instruction, its an instruction that should never be used. The only thing that could ever have come out of this was buffer overflows. I'm not arguing the fact that it's not an existing instruction, I'm arguing the fact that it if it was a valid instruction, only idiots would use it. Every PUSH instruction, every POP instruction, every CALL instruction every RET instruction that is performed alters the stack frame and changes its dynamic including the current location of the ESP pointer. To JMP ESP is to jump to a location that does not contain and should not contain valid code as that location contains temporary information - that's why it's call a stack. You push stuff temporarily onto the stack which you will later take off the stack. A stack has always been and will always be used as a lifo. That is its purpose. That's why there's a separate area called 'code'. On linux, the code segment is in the 0x080483bd range and the stack is in the 0xbffff818 range. The two are far from each other.
Notice the clever use of CALL and RET? That is how things are supposed to be done. The fact that microsoft has used such an instruction is a clear demonstration of their lack of assembly language knowledge.
Answer me this. Have you written any assembly language code? I have. I've written more than just the typical classroom exercise. I've written a lot more than that, and in assembly language programming, JMP ESP is a very dangerous and technically illegal instruction.
To allow you to JMP ESP implies that your code is on the stack and any PUSH or POP operation will obliterate your code causing it seg fault or on firmware without a proper OS to protect you, hang.
Perhaps the universe has revealed to you and not to me why a JMP ESP is commonplace, so please share your revelation with me. I want to know.
Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on
Ow, you got me there.... perfect example of why I hate to comment unnecessarily. I wrote that up in 1 minutes and spent another 30 seconds on comments. I figured my short term memory was good enough without double checking.
Further, is zeroing a global array necessary? I thought global variables are implicitly zeroed.
It depends on the compiler and on the language. Some compilers will pad out the size of the EXE to include a data segment and thus will have it explicitly set. Other compilers will only explicitly allocate and set variables that are explicitly set like float PI=3.1415926; and the rest will be left over from what was in memory before. The compiler in the latter case on some platforms in particular will provide a small data segment of actual initialized memory, and instruct the OS the data segment needs to by that much plus a whole bunch more. It helps reduce the size of the EXE. When I learned C on BSD unix, we were taught early on that variables were always undefined.
Assuming global variables, specifically in C, are always implicitly set is a very dangerous game to play.
I've been around on the net for a while now and if there is one thing I can say that is universal it's that servers that implement ASP are generally more flaky than other types of servers.
I use tvlistings2.zap2it.com which has ASP, and while I think they've gotten far better in the recent past, even 4 or 5 months ago, it would routinely lose my channel line up and if I'd try to log in to reset the cookie it would claim my login account doesn't exist. I'd follow their suggestion and try recreating the account and it said it was already in use. But I can't log in because it doesn't exist, but I can't recreate it because it already exists, but I can't log in because it doesn't exist.......
Anyway, I notice time and time again how sites that churn out ASP pages have typically slower response times compared to ones that have PHP or straight static HTML. For anyone who wonders how I determine that, I go to load a web page, and I wait for it to load. If it starts taking a while and I mean a really long while, I look at the URL and more often than not, I'll see it has a reference to an ASP. Maybe the "oh it's another one of those stupid IIS servers" makes it stick out in my mind more than "wait, this one is slow. I don't really know what's running it but it's crap", but if I had to put money on it, I'd say the IIS servers are generally slower.
I don't run a web server, I could, but I don't. Managing web servers would not be a job I'd want to do. Almost all of my web server experience is on the visitor side and without any kind of overtly blatant bias from any sources (like the kind of "windows crashes therefore windows is evil and anything dealing with windows is also evil") to affect my opinion, I'd have to say that I personally experience a more significant lack of performance and reliability visiting web sites that run IIS than other sites that don't appear to run it. So to me, a report like this is microsoft's ever so polite way of trying to stick an uncomfortably large tube up my ass and then proceeding to blow smoke through the opening.
You're the one who didn't get it. JMP ESP if it actually exists is technically an invalid instruction that should NEVER be used.
What that does is to run code specifically found on the stack, and if we step into the way-back machine, in the 8088 days, you had 4 segment registers DS (data segment), ES (extra segment), SS (stack segment), and CS (code segment). The compiler segregated the program into 3 and sometimes 4 separate segments and went out of its way to make sure it didn't execute code on the stack. The data segment, the code segment and the stack segment are separate areas in memory for a reason. The stack is specifically designed to be transient grow and shrink when the program runs. The code segment is determined by the compiler and remains static forever. The data segment like the stack segment is designed to have the data change as the program runs, but unlike the stack, is allocated specifically by the compiler and any given address of the data segment will always refer to one specific thing. The stacks are never allowed to mix or shift if the compiler can help it or you get nasty crashing.
Therefore, the stack pointer is never SUPPOSED to point to valid code, ever which makes JMP ESP an invalid instruction. Anyone who uses it deserves buffer overflows and thus, in an otherwise sane world, your JMP ESP example is false.
which explains why........
Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on[e]
If that's the case, why did you type such an elaborate version of something that can be done so much more briefly?
Why don't you write one then? My program demonstrates a function being called and overwriting a stack buffer. Upon return from that function, the stack being corrupted jumps to an arbitrary location. Specifically an address that was part of the data that overflowed the buffer. To get the address right, it would be more complex than what I provided.
Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.
If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address. A fact that I even commented at the start of the function. That the return address is reset to 0x00000000.
The purpose was not to actually give a working example of a successful exploit but to give an example of how it could be done.
I know full well that I what I need to do is to put the machine code for the 'malicious' code in the actual buffer and to keep overflowing with nop instructions for the proper number of bytes so the final 4 bytes I copy into that overflowed buffer on any intel 32bit processor will align with the return address from that function and if it is set correctly by taking into account the proper stack trace, can be known beforehand and thus when the function returns, it resumes execution of code at the start of the buffer that you overflowed.
This is a buffer overflow, but not all overflows will trample on the stack causing unexpected code execution.
The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from
e.g.
overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}
memcpy(buffer to overflow, overflowBuffer, bytes needed);
In this example, a deliberate byte pattern is copied to the buffer to be overflowed that causes the computer to jump back to that spot when the function returns and that allows dynamic code execution through that vulnerability.
While your overflow demonstrates the capability of a language to overflow a specific buffer, not all overflows are unwelcomed.
for example, I'll often define a struct as follows:
struct { int setting; int sequenceCount; int otherVariables; int bytes; char buffer[1]; } data;
/* this function should never return, in fact it
should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */ void overflowMe() {
char localBuffer[256];
/* deliberately copy from a larger buffer to a stack segment buffer more than it can hold */
memcpy(localBuffer, bigBuffer, sizeof(bigBuffer)); }
Unless they have something like 1000 computers or a similarly rediculously large number of 'seats' it might be cheaper to buy individual licenses per machine which still makes it 'per computer'.
They could instead pay a hefty license for the 'corporate' version of windows which no longer makes it 'per computer', but more 'per seat' and the more computers they purchase, the per seat cost drops.
To me, 24% per computer and 24% per seat are two different things and adding that qualifier is a reasonable statement.
(all prices estimated in canadian $)
Let's add things up. XP Home, regular retail $150
MS office about $300
BASIC OS + BASIC OFFICE SUITE $450
I'm sure schools would purchase more than those two pieces of software alone, which pushes the software cost even higher.
Suppose schools get 50% discount, that's still $225.
If that is 10%, that's a computer worth $2,000 which would make some game loving script kiddie have wet dreams every night for months.
I'd estimate the 25% mark range is reasonably accurate considering schools will skip on certain high end components and go for something basic like built in audio/video/lan with a modest harddrive and CD reader. A system like that isn't worth a whole lot these days, only about $800-$900 which puts the $225 school cost in at around the 20-25% range.
Initial ROTS review.... Rots...... rots..... return of the king?....no, that's ROTK.... Rots.... WTF?..... Oh that's right revenge of the sith. I wonder if the movie will live up to the hidden meaning in its abbreviation?
Yes, but making SCO go through 100's of CD's is entertainig.
There's a thought.
How many of us would pay even $1.00 to have IBM pad the stack of CDs out with files generated by/dev/random, just to make SCO's life that much more difficult?
Well, you know, it's the principle of the thing. The canadian counterpart to the IRS is perfectly willing to spend thousands of dollars trying to get the original $2.00 you owed them.
Where do you draw the line? Today, it's $2.00, tomorrow it's $2.50, eventually, they should stop collecting altogether. So if IBM wants to reclaim lost money in resources to provide the evidence, every last penny should count. After all, it's the principle of the thing.
Slashdot Mirror
Didn't the FBI just claim IE was a security threat, specifically a spyware threat, and ban it from all their computers?
With this bill, microsoft should be fined.
Some of the better places to go to get spyware are places in russia or developing countries, etc.
The advantage and disadvantage of the internet is that you can go access web sites from anywhere.
By making it tough for any group/organization to spread their malware from washington state, means they'll go elsewhere to host their stuff.
Suppose all the spyware people jump ship and go elsewhere, somebody WILL find a site that has it and will get the spyware.
It's like passing a law that makes it illegal to skid out of control and hitting a particular tree in the hopes of eliminating accidents.
Suppose smtp was modified by version + 1 to include the following in the the negotiation process:
USER user
PASSWORD password
AUTHENTICATE user@emaildomain.com
Before the SMTP server responds to the authenticate, it contacts emaildomain.com (as part of version + 1 protocol) and inquires about the sender user. From there, several interesting thing can happen. The server at emaildomain.com can do an email name query cache to determine if a user is being used abnormally. Hundreds, thousands of hits per second, etc. The server at emaildomain.com can report several types of errors (too many queries, not a valid user, suspected spammer, etc). If an authoritative ISP list existed where every ISP that hosts email must register in that international ISP database, any legit SMTP server could cross reference the senders ISP domain or address, thus not any joe monkey can set up a fly-by-night SMTP server that would accept or authenticate delivery. Each ISP can also have an email address database of black lists, white lists, etc virtualized for each address. Before proceeding with the AUTHENTICATE request, the sender email address is compared against that list, the sender credentials and the senders isp credentials are all verified. If the SMTP server doesn't like any of those tests, it can reject the connection outright, based on preferences the owner of that email address dictates.
Despite any pipe dream from the likes of bill gates, there is a reason why cellphones are primarily cellphones and why mp3 players are primarily mp3 players and why PDAs are primarily PDAs.
The current technology to store even 256 meg of mp3s or similarly compressed audio would either displace other vital cellphone components or would make the phone that much bulkier. If I want to go jogging or hiking, the last thing I want is a large phone bulging from my pocket or strapped to my waist. I want something as small and as light as possible that can be worn around an armband that won't interfere with my activity. If I'm out hiking all weekend, I want a whole lot more than 2 or 3 hours of music, I'll want an entire weekends worth, which means a minimum of 1 gig. Unless there's been a revolution in flash memory technology lately, a 2 gig or 4 gig flash drive or even adding a mini harddrive to a cellphone would make it so bulky it would seem like the first cellphones of the 80s.
To bulk up a phone just for that is both impractical and combersome. Besides not everyone wants (I for one don't want) a cellphone that can play mp3s, play tv, surf the web, etc. I'd want the device to do one thing and to do it well. If I want to listen to music, I'll take along an mp3 player or a radio or whatever. While a swiss army knife on the surface might appear to be practical, who would actually prefer it over a small toolbox of dedicated tools for day to day activities? It might be useful for camping or hiking when bulk is bad, but if you had a toolbox of screwdrivers and knives, would you not rather reach for the separate screwdriver?
To me there will always be one right tool for the job. Keep the phone as a bloody phone and the mp3 player as a separate mp3 player damn it.
You've got Malware! Click here for details..."
No, you're confusing that with AOL. It's more like paper clippy to the rescue:
Malware has been detected on your computer. What would you like to do about it?
* Learn more about the threat
* Learn more about getting rid of the threat
* Run an antivirus utility now
* Send a report to microsoft
Am I the only one that cringes anytime I see access and database in the same sentence?
What is more deserving of your cringing? The two words 'access' and 'database' in the same sentence or actually using access (snicker)database(snicker)?
I was fortunate enough to write a program (front end) to a real database (ok perhaps more real than access) MySQL. If I want to cough a furball, I'll go back to the old access records. It's disgusting just thinking about access.
Great, now I want to take a shower.
Also, who is Linus Trolvalds?
He's an imposter! A bad one at that. This has got to be microsoft FUD designed to scare people away from free solutions and back to their lovely products......(Microsoft Access-like database management program?)
Don't believe any of it. MS fud machine must have been freshly greased just for this one.
AGHHHHHHHH! WHERE'S MY TINFOIL HAT?????
A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.
......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.
The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.
The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.
Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.
Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.
Did it occur to you that the sequence JMP ESP could be there by pure accident?
Finally. Thank you for that lucid statement. I understand your point. Just so you know, it did not occur to me that that instruction might have accidentally found its way into memory, thus I didn't see how it could realistically happen.
Next time, you might have tried something like this from the beginning instead of assuming my IQ was so low I couldn't outwit a boiled cabbage:
1 - JMP ESP is a currently valid CPU instruction that should never have been added to the CPUs instruction set
2 - The 2 byte opcode for the JMP ESP instuction can occur by accident (part of an initialized data segment block or span two valid instructions)
3 - Find the offset of that invalid instruction and overflow the stack so the address of that instruction aligns with the return instruction of the current function
4 - Immediately following that return address as part of your overflow buffer data, place your exploit code.
5 - celebrate your successful buffer overflow.
Instead, you focused on the fact that I couldn't understand the mechanics behind it. I did understand the mechanics behind it. The universe has chosen NOT to reveal the specifics as to how that technically invalid command might have gotten there in the first place.
Once again, thank you for the epiphany.
Just because people are doing it, does that make it right? Does that mean it's right for me to go around killing people if jeffery dahmer or ted bundy killed all them people?
.globl func
.type func, @function
.size func, .-func
.globl main
.type main, @function
JMP ESP is an instruction that resumes execution on the stack. The stack is NOT SUPPOSED to contain valid code. PERIOD. Even if it is a valid CPU instruction, its an instruction that should never be used. The only thing that could ever have come out of this was buffer overflows. I'm not arguing the fact that it's not an existing instruction, I'm arguing the fact that it if it was a valid instruction, only idiots would use it. Every PUSH instruction, every POP instruction, every CALL instruction every RET instruction that is performed alters the stack frame and changes its dynamic including the current location of the ESP pointer. To JMP ESP is to jump to a location that does not contain and should not contain valid code as that location contains temporary information - that's why it's call a stack. You push stuff temporarily onto the stack which you will later take off the stack. A stack has always been and will always be used as a lifo. That is its purpose. That's why there's a separate area called 'code'. On linux, the code segment is in the 0x080483bd range and the stack is in the 0xbffff818 range. The two are far from each other.
For example the program:
void func() { } main() { func(); }
Produces:
func:
pushl %ebp
movl %esp, %ebp
popl %ebp
ret
main:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
andl $-16, %esp
movl $0, %eax
subl %eax, %esp
call func
leave
ret
Notice the clever use of CALL and RET? That is how things are supposed to be done. The fact that microsoft has used such an instruction is a clear demonstration of their lack of assembly language knowledge.
Answer me this. Have you written any assembly language code? I have. I've written more than just the typical classroom exercise. I've written a lot more than that, and in assembly language programming, JMP ESP is a very dangerous and technically illegal instruction.
To allow you to JMP ESP implies that your code is on the stack and any PUSH or POP operation will obliterate your code causing it seg fault or on firmware without a proper OS to protect you, hang.
Perhaps the universe has revealed to you and not to me why a JMP ESP is commonplace, so please share your revelation with me. I want to know.
Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on
Ow, you got me there.... perfect example of why I hate to comment unnecessarily. I wrote that up in 1 minutes and spent another 30 seconds on comments. I figured my short term memory was good enough without double checking.
Further, is zeroing a global array necessary? I thought global variables are implicitly zeroed.
It depends on the compiler and on the language. Some compilers will pad out the size of the EXE to include a data segment and thus will have it explicitly set. Other compilers will only explicitly allocate and set variables that are explicitly set like float PI=3.1415926; and the rest will be left over from what was in memory before. The compiler in the latter case on some platforms in particular will provide a small data segment of actual initialized memory, and instruct the OS the data segment needs to by that much plus a whole bunch more. It helps reduce the size of the EXE. When I learned C on BSD unix, we were taught early on that variables were always undefined.
Assuming global variables, specifically in C, are always implicitly set is a very dangerous game to play.
I've been around on the net for a while now and if there is one thing I can say that is universal it's that servers that implement ASP are generally more flaky than other types of servers.
I use tvlistings2.zap2it.com which has ASP, and while I think they've gotten far better in the recent past, even 4 or 5 months ago, it would routinely lose my channel line up and if I'd try to log in to reset the cookie it would claim my login account doesn't exist. I'd follow their suggestion and try recreating the account and it said it was already in use. But I can't log in because it doesn't exist, but I can't recreate it because it already exists, but I can't log in because it doesn't exist.......
Anyway, I notice time and time again how sites that churn out ASP pages have typically slower response times compared to ones that have PHP or straight static HTML. For anyone who wonders how I determine that, I go to load a web page, and I wait for it to load. If it starts taking a while and I mean a really long while, I look at the URL and more often than not, I'll see it has a reference to an ASP. Maybe the "oh it's another one of those stupid IIS servers" makes it stick out in my mind more than "wait, this one is slow. I don't really know what's running it but it's crap", but if I had to put money on it, I'd say the IIS servers are generally slower.
I don't run a web server, I could, but I don't. Managing web servers would not be a job I'd want to do. Almost all of my web server experience is on the visitor side and without any kind of overtly blatant bias from any sources (like the kind of "windows crashes therefore windows is evil and anything dealing with windows is also evil") to affect my opinion, I'd have to say that I personally experience a more significant lack of performance and reliability visiting web sites that run IIS than other sites that don't appear to run it. So to me, a report like this is microsoft's ever so polite way of trying to stick an uncomfortably large tube up my ass and then proceeding to blow smoke through the opening.
Actually you don't get it
You're the one who didn't get it. JMP ESP if it actually exists is technically an invalid instruction that should NEVER be used.
What that does is to run code specifically found on the stack, and if we step into the way-back machine, in the 8088 days, you had 4 segment registers DS (data segment), ES (extra segment), SS (stack segment), and CS (code segment). The compiler segregated the program into 3 and sometimes 4 separate segments and went out of its way to make sure it didn't execute code on the stack. The data segment, the code segment and the stack segment are separate areas in memory for a reason. The stack is specifically designed to be transient grow and shrink when the program runs. The code segment is determined by the compiler and remains static forever. The data segment like the stack segment is designed to have the data change as the program runs, but unlike the stack, is allocated specifically by the compiler and any given address of the data segment will always refer to one specific thing. The stacks are never allowed to mix or shift if the compiler can help it or you get nasty crashing.
Therefore, the stack pointer is never SUPPOSED to point to valid code, ever which makes JMP ESP an invalid instruction. Anyone who uses it deserves buffer overflows and thus, in an otherwise sane world, your JMP ESP example is false.
which explains why........
Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on[e]
If that's the case, why did you type such an elaborate version of something that can be done so much more briefly?
Why don't you write one then? My program demonstrates a function being called and overwriting a stack buffer. Upon return from that function, the stack being corrupted jumps to an arbitrary location. Specifically an address that was part of the data that overflowed the buffer. To get the address right, it would be more complex than what I provided.
In any case, you've missed the point.
Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.
If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address. A fact that I even commented at the start of the function. That the return address is reset to 0x00000000.
The purpose was not to actually give a working example of a successful exploit but to give an example of how it could be done.
I know full well that I what I need to do is to put the machine code for the 'malicious' code in the actual buffer and to keep overflowing with nop instructions for the proper number of bytes so the final 4 bytes I copy into that overflowed buffer on any intel 32bit processor will align with the return address from that function and if it is set correctly by taking into account the proper stack trace, can be known beforehand and thus when the function returns, it resumes execution of code at the start of the buffer that you overflowed.
That point was not lost on me.
This is a buffer overflow, but not all overflows will trample on the stack causing unexpected code execution.
The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from
e.g.
overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}
memcpy(buffer to overflow, overflowBuffer, bytes needed);
In this example, a deliberate byte pattern is copied to the buffer to be overflowed that causes the computer to jump back to that spot when the function returns and that allows dynamic code execution through that vulnerability.
While your overflow demonstrates the capability of a language to overflow a specific buffer, not all overflows are unwelcomed.
for example, I'll often define a struct as follows:
struct {
int setting;
int sequenceCount;
int otherVariables;
int bytes;
char buffer[1];
} data;
I'll then do this
ptr = (struct data *)malloc(sizeof(struct data) + bufferBytes);
memcpy(ptr->buffer, source, bufferBytes);
ptr->bytes = bufferBytes;
I've implemented this trick for my own PVR recording program I wrote that reads from the video capture card and stuffs it in a fifo.
In this case, buffer overflow is desired as it allows me to allocate an arbitrary number of bytes that follows a specific structure.
There's a security bug in your code.
Yeah, I know. Here's the patch
#include <stdio.h>
main()
{
}
#include
/* this function should never return, in fact it
/* deliberately copy from a larger buffer to a stack segment buffer more than it can hold */
#include <string.h>
char bigBuffer[4096];
void overflowMe();
main()
{
memset(bigBuffer, 0, sizeof(bigBuffer));
overflowMe();
}
should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */
void overflowMe()
{
char localBuffer[256];
memcpy(localBuffer, bigBuffer, sizeof(bigBuffer));
}
Unless they have something like 1000 computers or a similarly rediculously large number of 'seats' it might be cheaper to buy individual licenses per machine which still makes it 'per computer'.
They could instead pay a hefty license for the 'corporate' version of windows which no longer makes it 'per computer', but more 'per seat' and the more computers they purchase, the per seat cost drops.
To me, 24% per computer and 24% per seat are two different things and adding that qualifier is a reasonable statement.
My estimate would be more in the 10% range.
(all prices estimated in canadian $)
Let's add things up. XP Home, regular retail $150
MS office about $300
BASIC OS + BASIC OFFICE SUITE $450
I'm sure schools would purchase more than those two pieces of software alone, which pushes the software cost even higher.
Suppose schools get 50% discount, that's still $225.
If that is 10%, that's a computer worth $2,000 which would make some game loving script kiddie have wet dreams every night for months.
I'd estimate the 25% mark range is reasonably accurate considering schools will skip on certain high end components and go for something basic like built in audio/video/lan with a modest harddrive and CD reader. A system like that isn't worth a whole lot these days, only about $800-$900 which puts the $225 school cost in at around the 20-25% range.
I meant it rots as in several days dead and decaying. One need not take a pulse to ascertain that it is truly dead.
Initial ROTS review.... Rots...... rots..... return of the king?....no, that's ROTK.... Rots.... WTF?..... Oh that's right revenge of the sith. I wonder if the movie will live up to the hidden meaning in its abbreviation?
I swear, its like there is a program which randomly inserts spelling errors into the stories
Aithur that oar the peeple hear kant sppel wirth a dam. Their kneeds too bee moor atension speant prouphing you're poaste beefour submiteing.
Yes, but making SCO go through 100's of CD's is entertainig.
/dev/random, just to make SCO's life that much more difficult?
There's a thought.
How many of us would pay even $1.00 to have IBM pad the stack of CDs out with files generated by
$20.00?
Well, you know, it's the principle of the thing. The canadian counterpart to the IRS is perfectly willing to spend thousands of dollars trying to get the original $2.00 you owed them.
Where do you draw the line? Today, it's $2.00, tomorrow it's $2.50, eventually, they should stop collecting altogether. So if IBM wants to reclaim lost money in resources to provide the evidence, every last penny should count. After all, it's the principle of the thing.