Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies

From: trialat_private
Date: Wed Apr 24 2002 - 15:47:47 PDT

Next message: Slackware Security Team: "[slackware-security] sudo upgrade fixes a potential vulnerability"

Previous message: Chris Deibler: "Fragroute and ISS (NetworkICE) products: a brief analysis"
Maybe in reply to: Iván Arce: "CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
Next in thread: Mariusz Woloszyn: "Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario> The MS /GS switch has an equally fatal flaw in its stack layout that makes it unnecessary to deal with the random canary: the Structured Exception Handler frame (which has a function pointer) comes after the canary (or cookie in MS parlance). All it takes is to induce an exception by overflowing some local variable (there are fair chances for this since functions manipulating buffers normally have pointer variables as well). Of course moving the canary after the SEH frame would/will put things back where you state they are now.

Next message: Slackware Security Team: "[slackware-security] sudo upgrade fixes a potential vulnerability"
Previous message: Chris Deibler: "Fragroute and ISS (NetworkICE) products: a brief analysis"
Maybe in reply to: Iván Arce: "CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
Next in thread: Mariusz Woloszyn: "Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 22:22:48 PDT