Posts

Linux Heap glibc TCache Double Free Mitigation Bypass

In this paper, I introduce the reader to a heap metadata corruption against the latest Linux Heap Allocator, ptmalloc. This attack performs a double free in the presence of the tcache double free mitigation. It does this by corrupting the freed chunk before the 2nd free is called. This allows a cycle to be created in the tcache and can give primitives such as making malloc returning the same memory more than once, or making malloc return an arbitrary pointer.

Linux Heap glibc TCache Double Free Mitigation Bypass.PDF

Cryptopals Challenge 23: Clone an MT19937 RNG from its output

I've recently gotten the cryptography bug.

I would highly recommend working through the challenges at http://cryptopals.com. The challenges give insight and practice into real attacks on weak cryptosystems.

Personally, I'm onto set 4, but I skipped the Mersenne Twister (MT) RNG  to get there. Today I went back to those challenges and in this blog post I present my solution to challenge 23.

The Mersenne Twister generates Pseudo Random Numbers. It would be nice as an attacker to be able to predict future numbers by looking only at the earlier output of the MT Random Number Generator. 

Firstly, an earlier challenge is to simply get an MT RNG working. I stole the code from https://github.com/james727/MTP. Is it bad that I copied the code? No. You will see there is much work needed to be done to break the MT RNG.

The key insight to the MT1997 RNG is that the complete internal state consists of 624 32-bit integers. If you can clone these integers, you can predict any future number …

Linux Heap House of Force Exploitation

In this paper, I introduce the reader to a heap metadata corruption against a recent version of the Linux Heap allocator in glibc 2.27. The House of Force attack is a known technique that requires a buffer overflow to overwrite the top chunk size. An attacker must then be able to malloc an arbitrary size of memory. The result is that it is possible to make a later malloc return an arbitrary pointer. With appropriate application logic, this attack can be used in exploitation. This attack has been mitigated in the latest glibc 2.29 but is still exploitable in glibc 2.27 as seen in Ubuntu 18.04 LTS.

Linux Heap House of Force Exploitation.PDF

Linux Heap Calloc Exploitation part 2

In this paper, I introduce the reader to a heap metadata corruption against the most current version of the Linux Heap allocator. Normally, calloc will allocate data and zero out the memory before returning a pointer to it. An attacker that can overflow from one chunk into a free chunk in a fast bin can force calloc to return uninitialised data. This information leak could be utilised to defeat ASLR or expose sensitive information.

Linux Heap Calloc Exploitation part 2.PDF

Linux Heap Calloc Exploitation

Linux Heap Overlapping Chunks Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap Allocator, ptmalloc. An attacker that can overflow from one chunk into the next allocated chunk can force ptmalloc to return overlapping allocations. Given the appropriate application logic, this can lead to exploitation.
This attack is known and is documented in various outlets.