uClibc Unlink Heap Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the latest version of uClibc. This allocator is used in embedded systems. The unlink attack on heaps was first introduced by Solar Designer in the year 2000 and was the first generic heap exploitation technique made public. In the unlink technique, an attacker corrupts the prev and next pointers of a free chunk. In a subsequent malloc that recycles this chunk, the chunk is unlinked from its freelist via pointer manipulations. This inadvertently allows an attack to craft a write-what-where primitive and write what they want where they want in memory. This attack is historical, but also exists today in uClibc.

uClibc Unlink Heap Exploitation.PDF

AVR LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of avr-libc. This allocator is used in embedded systems, Arduino, and the Internet of Things. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The data before this address is under the control of the attacker and represents the poisoned chunk size. The allocator, in a subsequent malloc, will return the poisoned chunk. In conjunction with program application logic, an arbitrary write may be achievable.

AVR LIBC Freelist Poisoning.PDF

Diet LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The allocator, in a subsequent malloc, will return this arbitrary pointer. In conjunction with program application logic, an arbitrary write may be achievable.

Diet LIBC Freelist Poisoning.PDF