AVR LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of avr-libc. This allocator is used in embedded systems, Arduino, and the Internet of Things. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The data before this address is under the control of the attacker and represents the poisoned chunk size. The allocator, in a subsequent malloc, will return the poisoned chunk. In conjunction with program application logic, an arbitrary write may be achievable.

AVR LIBC Freelist Poisoning.PDF

Popular posts from this blog

Pointer Compression in V8

C++ Memory Corruption (std::string) - part 4

C++ Memory Corruption (std::vector) - part 2