Re: CORE-20020409: Multiple vulnerabilities in sta: msg#00371 security.bugtraq

In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario>

The MS /GS switch has an equally fatal flaw in its stack
layout that makes it unnecessary to deal with the random
canary: the Structured Exception Handler frame (which has a
function pointer) comes after the canary (or cookie in MS
parlance). All it takes is to induce an exception by
overflowing some local variable (there are fair chances for
this since functions manipulating buffers normally have
pointer variables as well). Of course moving the canary
after the SEH frame would/will put things back where you
state they are now.

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	[SECURITY] [DSA-128-1] sudo buffer overflow: 00371, Wichert Akkerman
Next by Date:	Re: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list): 00371, 3APA3A
Previous by Thread:	[SECURITY] [DSA-128-1] sudo buffer overflowi: 00371, Wichert Akkerman
Next by Thread:	[RHSA-2002:072-07] Updated sudo packages are available: 00371, bugzilla
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

[SECURITY] [DSA-128-1] sudo buffer overflow: 00371, Wichert Akkerman

Next by Date:

Re: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list): 00371, 3APA3A

Previous by Thread:

[SECURITY] [DSA-128-1] sudo buffer overflowi: 00371, Wichert Akkerman

Next by Thread:

[RHSA-2002:072-07] Updated sudo packages are available: 00371, bugzilla

Indexes:

[Date] [Thread] [Top] [All Lists]

Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection: msg#00371

security.bugtraq