That is why, sometime last year, some developers decided to avoid to use argv when displaying information about the stack-smashing and replaced it by. If a secret key or some confidential data were stored in the stack, then an attacker can access it through this feature. As fork() is cloning the memory of the initial process, the ASLR was useless because the same starting memory image was used and, then, the same memory mapping was used again and again. This technique was mainly used in servers where fork() was used to respawn an instance.
Indeed, if you can control the address at argv and crash the application, you can leak the whole stack outside of the application. But, some attackers started to exploit the fact that you could overflow the stack, reach the argv and overwrite it with an address that you choose. The " " (which is a static string added by -fstack-protector) that you see was previously argv. In fact, this is a fairly recent mitigation mechanism introduced to avoid to leak information about the stack of the crashed application.
0 kommentar(er)
