Posts

Freelist Heap Exploitation on Docker Alpine Linux Images

Image
Introduction In this blog post, I'll look at 2 attacks on Alpine Linux distributions, which is common with Docker images. Both attacks will use freelist poisoning against the heap allocator. The difference is that the first attack will look at uClibc's heap allocator which is present in earlier releases of Alpine, and the second attack will look at the current version of Alpine, which uses musl libc.

I have written at great length about freelist poisoning, as seen in:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/12/attacks-on-tcmalloc-heap-allocator.html

The main feature of freelist poisoning is that an attacker is able to make malloc return an arbitrary pointer. Combine with appropr…

Attacks on the TCMalloc Heap Allocator

Image
Introduction TCMalloc is a well known heap allocator. It is written by Google. A number of attacks against tcmalloc are possible. A good presentation on tcmalloc was given in 2011, https://downloads.immunityinc.com/infiltrate-archives/webkit_heap.pdf

In this blog post, I'll give examples of 3 attacks, some of which are not well known.
Freelist Poisoning In the following code, we make tc_malloc return an arbitrary pointer. This is another variant of freelist poisoning, which I have talked about at great length. For freelist poisoning details on other allocators, see:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html


Double FreeIn the following attack that exploits a double free in tcmalloc, we convert the double free into freelist…

Newlib Unlink Heap Exploitation

uClibc Unlink Heap Exploitation