Diet LIBC House of Spirit

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In the House of Spirit, an attacker passes a pointer to a fake chunk header to the free API. This chunk can be of almost arbitrary size. The allocator will subsequently insert this fake chunk into the global freelist. The next malloc of the appropriate size will return the fake chunk which may overlap data that may be of benefit to the attacker.

Diet LIBC House of Spirit.PDF

Comments

Post a Comment

Popular posts from this blog

Linux Heap TCache Poisoning

Linux Heap TCache Poisoning In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap Allocator, ptmalloc. The attack is performed via corrupting, or poisoning the tcache such that malloc returns an arbitrary pointer. This may allow for control flow hijacking if malloc returns a pointer to a function pointer and an attacker is able to write to that malloc returned buffer. TCache poisoning is possible from heap corruption including buffer overflows and Use-After-Frees.

Linux Heap TCache Poisoning.PDF
Read more

Linux Heap glibc 2.27 Double Free Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the glibc 2.27 Linux Heap Allocator, ptmalloc. This attack is mitigated in the most recent 2.29 glibc. An attacker that forces the application to perform a double free can manipulate it to make malloc return an arbitrary pointer. This is achieved, by having malloc return a chunk of memory whilst still remaining in the tcache freelist. The attacker is then able to manipulate this memory to perform tcache poisoning and force malloc to return an arbitrary pointer. This is a powerful primitive, and with appropriate application logic is equivalent of a write-what-where.

Linux Heap glibc 2.27 Double Free Exploitation.PDF

Read more