In this
paper, I introduce the reader to a heap metadata corruption against the latest
version of avr-libc. This allocator is used in embedded systems, Arduino, and
the Internet of Things. In freelist poisoning, an attacker corrupts the chunk
header of a free chunk. This chunk’s next pointer is modified to point to an
arbitrary address. The data before this address is under the control of the
attacker and represents the poisoned chunk size. The allocator, in a subsequent
malloc, will return the poisoned chunk. In conjunction with program application
logic, an arbitrary write may be achievable.
AVR LIBC Freelist Poisoning.PDF
Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland
Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...
-
InfoSect has always been committed to fostering diversity and inclusion within the cybersecurity industry, with a special focus on encourag...
-
Summary This is the next part of the C++ memory corruption series*. In this post, we'll look at corrupting the std:string object in L...
-
Syed Faraz Abrar @farazsth98 Summary In this blog post, I will provide some details on how the Chromium developers implemente...
