In message: <20040103224856.H329@cargo-cult.k.bsd.de>
            Christoph Badura <bad@bsd.de> writes:
: On Sat, Jan 03, 2004 at 12:39:17PM -0500, Nathan J. Williams wrote:
: > I think that the judgement that atexit is "very dangerous" is
: > overblown, having looked at the description of the problem. It's
: > essentially complaining that there's a function pointer in libc that's
: > used by all programs, so a vulnerability is introduced once an
: > attacker has gained the ability to overwrite arbitrary locations in
: > memory.
: 
: Especially when there are more function pointers used by libc.
: E.g. the ones in struct FILE, easily locatable via std{in,out,err}.
: Or the ones used by the DB library (used, e.g., by the getpw* family
: of functions).  And that is only the tip of the iceberg, I'm sure.

not to mention virtual function table pointers in C++ (note, the vtbl
can be in read only memory, but you can adjust the vtbl ptr).  This is
also vulnerable because the vtbl ptr tends to be at the end of the
base class' storage, which makes a relatively easy target too.

Warner