[25268] in bugtraq
Re: CORE-20020409: Multiple vulnerabilities in stack smashing
daemon@ATHENA.MIT.EDU (trial@freemail.hu)
Fri Apr 26 01:23:04 2002
Date: 24 Apr 2002 22:47:47 -0000
Message-ID: <20020424224747.4304.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <trial@freemail.hu>
To: bugtraq@securityfocus.com
In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario>
The MS /GS switch has an equally fatal flaw in its stack
layout that makes it unnecessary to deal with the random
canary: the Structured Exception Handler frame (which has a
function pointer) comes after the canary (or cookie in MS
parlance). All it takes is to induce an exception by
overflowing some local variable (there are fair chances for
this since functions manipulating buffers normally have
pointer variables as well). Of course moving the canary
after the SEH frame would/will put things back where you
state they are now.
