In this paper, I introduce the reader to a heap metadata corruption against the glibc 2.27 Linux Heap Allocator, ptmalloc. This attack is mitigated in the most recent 2.29 glibc. An attacker that forces the application to perform a double free can manipulate it to make malloc return an arbitrary pointer. This is achieved, by having malloc return a chunk of memory whilst still remaining in the tcache freelist. The attacker is then able to manipulate this memory to perform tcache poisoning and force malloc to return an arbitrary pointer. This is a powerful primitive, and with appropriate application logic is equivalent of a write-what-where.
Linux Heap glibc 2.27 Double Free Exploitation.PDF
Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland
Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...
-
InfoSect has always been committed to fostering diversity and inclusion within the cybersecurity industry, with a special focus on encourag...
-
Summary This is the next part of the C++ memory corruption series*. In this post, we'll look at corrupting the std:string object in L...
-
Syed Faraz Abrar @farazsth98 Summary In this blog post, I will provide some details on how the Chromium developers implemente...
