Diet LIBC House of Spirit

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In the House of Spirit, an attacker passes a pointer to a fake chunk header to the free API. This chunk can be of almost arbitrary size. The allocator will subsequently insert this fake chunk into the global freelist. The next malloc of the appropriate size will return the fake chunk which may overlap data that may be of benefit to the attacker.

Diet LIBC House of Spirit.PDF

Comments

Post a comment

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Image
Dr Silvio Cesare @silviocesare Summary PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive. Introduction In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer. I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to. https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html https://blog.infos
Read more

Linux Kernel Stack Smashing

Dr Silvio Cesare @silviocesare   Summary In this blog post I’ll discuss how to exploit the Linux kernel via a stack smashing attack. I’ll be attacking the latest kernel version. I’ll also introduce a vulnerable device driver that I wrote so that I can focus on the exploitation development and not the vulnerability research.  A number of mitigations were introduced in recent years, such as Kernel Page Table Isolation and control register pinning, which makes some previous techniques obsolete. Techniques like ret2usr no longer work. But regardless, I am able to privesc and gain a rootshell. An overview of the attack The attack can be split up into a number of stages: ·         Defeat KASLR ·         Leak the stack canary ·         Stack smash and overwrite the canary and return address to trigger a ROP chain ·         ROP to change the current creds to UID 0 ·         ROP into the code that returns from a system call and continues execution i
Read more

Pointer Compression in V8

Image
Syed Faraz Abrar @farazsth98   Summary In this blog post, I will provide some details on how the Chromium developers implemented pointer compression in V8. I will also talk about what this means from an exploit development perspective. Introduction I’ve been an intern at InfoSect for the past couple of weeks now, and in this time, I’ve had to do a bunch of security related research into both V8 and Spidermonkey. One of the things that I spent a short amount of my time on was pointer compression in V8. I hadn’t heard of the term at all until Bruno Keith ( @bkth_ ) mentioned it on twitter some time in December last year. The V8 developers also made a blog post to celebrate V8 v8.0 where they mentioned that implementing pointer compression had allowed them to save up to 40% in usage of heap memory! That’s a big improvement, so let’s take a look at what pointer compression is and what it means from an exploit developer’s perspective. Disclaimer This is not intended to
Read more