AVR LIBC Overlapping Chunks

In this paper, I introduce the reader to a heap metadata corruption against the latest version of avr-libc. This allocator is used in embedded systems, Arduino, and the Internet of Things (IoT). In the overlapping chunks technique, an attacker corrupts the size of an allocated chunk to make it larger and overlap into the next chunk. This modified chunk is then freed and it is placed into the freelist. The allocator will subsequently return this chunk for the size that it has been modified too. Thus, the chunk overlaps the next chunk.

AVR LIBC Overlapping Chunks.PDF

Comments

Popular posts from this blog

Linux Heap TCache Poisoning

Linux Heap glibc 2.27 Double Free Exploitation