Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies
From: trial@freemail.huDate: 04/25/02
- Previous message: Wichert Akkerman: "[SECURITY] [DSA-128-1] sudo buffer overflow"
- Maybe in reply to: Iván Arce: "CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
- Next in thread: Mariusz Woloszyn: "Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Apr 2002 22:47:47 -0000 From: <trial@freemail.hu> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario>
The MS /GS switch has an equally fatal flaw in its stack
layout that makes it unnecessary to deal with the random
canary: the Structured Exception Handler frame (which has a
function pointer) comes after the canary (or cookie in MS
parlance). All it takes is to induce an exception by
overflowing some local variable (there are fair chances for
this since functions manipulating buffers normally have
pointer variables as well). Of course moving the canary
after the SEH frame would/will put things back where you
state they are now.
- Previous message: Wichert Akkerman: "[SECURITY] [DSA-128-1] sudo buffer overflow"
- Maybe in reply to: Iván Arce: "CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
- Next in thread: Mariusz Woloszyn: "Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
