Diet LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The allocator, in a subsequent malloc, will return this arbitrary pointer. In conjunction with program application logic, an arbitrary write may be achievable.

Diet LIBC Freelist Poisoning.PDF


Popular posts from this blog

Linux Kernel Stack Smashing

Sudoedit heap overflow

Pointer Compression in V8