Is /GS violation really exploitable?

Jul 10, 2009 at 9:39 PM


I fuzzed a network application, and !exploitable gave me this analysis of the crash dump:


Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.



My questions is:  If this was detected by the /GS stack protection, then is it really exploitable?  Isn't GS doing its job, and preventing this from being exploitable?






Jul 14, 2009 at 12:31 AM

Hi Jim,

The /GS stack protection is considered defense in depth. It is bad practice to depend on defense in depth mechanisms, because that removes the "in depth". Compile them in, turn them on, but don't allow their existence to be used as a rationale for leaving vulnerable code in place.

To use an analogy, the fact that I have airbags in my car does not mean I shouldn't worry about the fact that my brakes don't work.

In the case of a /GS violation, we know that there is an unconstrained (or improperly constrained) copy onto the stack. If the state of the art is such that an attacker is able to evade the version of /GS that the application was compiled against, then the attacker has the ability to get remote execution of code.