Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies

[<trial () freemail hu>]

In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario>

The MS /GS switch has an equally fatal flaw in its stack 
layout that makes it unnecessary to deal with the random 
canary: the Structured Exception Handler frame (which has a 
function pointer) comes after the canary (or cookie in MS 
parlance). All it takes is to induce an exception by 
overflowing some local variable (there are fair chances for 
this since functions manipulating buffers normally have 
pointer variables as well). Of course moving the canary 
after the SEH frame would/will put things back where you 
state they are now.