Diet LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The allocator, in a subsequent malloc, will return this arbitrary pointer. In conjunction with program application logic, an arbitrary write may be achievable.

Diet LIBC Freelist Poisoning.PDF

Comments

Popular posts from this blog

Linux Heap TCache Poisoning

Linux Heap glibc 2.27 Double Free Exploitation