Attacks on the TCMalloc Heap Allocator

Introduction

TCMalloc is a well known heap allocator. It is written by Google. A number of attacks against tcmalloc are possible. A good presentation on tcmalloc was given in 2011, https://downloads.immunityinc.com/infiltrate-archives/webkit_heap.pdf

In this blog post, I'll give examples of 3 attacks, some of which are not well known.

Freelist Poisoning

In the following code, we make tc_malloc return an arbitrary pointer. This is another variant of freelist poisoning, which I have talked about at great length. For freelist poisoning details on other allocators, see:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html 


Double Free

In the following attack that exploits a double free in tcmalloc, we convert the double free into freelist poisoning and thus are able to obtain an arbitrary write primitive. I've talked about this attack before on other allocators. For example:

https://blog.infosectcbr.com.au/2019/07/linux-heap-glibc-227-double-free.html 
https://blog.infosectcbr.com.au/2019/08/linux-heap-fast-bin-double-free.html 
https://blog.infosectcbr.com.au/2019/09/linux-heap-glibc-tcache-double-free.html 


The code above takes advantage that a cycle has formed in the freelist. Thus, a malloc returns a buffer, but that buffer is start of the freelist. Thus, freelist poisoning can happen on the allocated buffer.

Overlapping Chunks

The final attack we'll look at in tcmalloc is creating overlapping chunks via a free of an arbitrary pointer. This attack is different to the house of spirit. Since tcmalloc is a bucket-style allocator, when a pointer is freed, it has to belong to a bucket. TCMalloc doesn't check for pointer alignment to that bucket's object before putting the pointer on the freelist. Thus, a non-aligned object pointer is in the freelist and is returned for that bucket of the appropriate object size. The pointer is unaligned but still services the object size, and thus overlaps the adjacent chunk.




Conclusion

In this blog post, I gave examples of 3 attacks against tcmalloc. These attacks can lead to a variety of exploitation primitives such as arbitrary writes to memory and overlapping chunks. They serve as useful tools in the exploit developers toolkit.

If you are interested in exploitation, consider InfoSect's 2, 3, and 5-day training on Heap Exploitation https://www.eventbrite.com.au/e/linux-heap-exploitation-tickets-48997946176

 

 

Popular posts from this blog

Empowering Women in Cybersecurity: InfoSect's 2024 Training Initiative

 InfoSect has always been committed to fostering diversity and inclusion within the cybersecurity industry, with a special focus on encouraging those who identify as women to excel in the technical streams. We're excited to announce that in 2024, we're taking our commitment to the next level. Following the resounding success of our 2022 initiative, we are proud to double our efforts and expand our training opportunities for women in cybersecurity. HackerChix: Uniting Women in Cybersecurity In 2017, InfoSect introduced HackerChix, a vibrant community that provides a platform for women to connect, support, and inspire one another in the world of cybersecurity. This initiative has been a constant presence at BSides Canberra every year.   Doubling Down on Education To empower more women with the knowledge and skills needed to excel in cybersecurity, InfoSect is thrilled to announce a significant expansion of its training offerings in 2024. Thanks to the generous sponsorshi
Read more

C++ Memory Corruption (std::string) - part 4

  Summary This is the next part of the C++ memory corruption series*. In this post, we'll look at corrupting the std:string object in Linux and see what exploitation primitives we can gain. * https://blog.infosectcbr.com.au/2020/08/c-memory-corruption-part-1.html * https://blog.infosectcbr.com.au/2022/01/c-memory-corruption-stdvector-part-2.html  *  https://blog.infosectcbr.com.au/2022/03/c-memory-corruption-stdlist-part-3.html Author: Dr Silvio Cesare Introduction C++ is a common language for memory corruption. However, there is much more literature on exploiting C programs and little on C++ programs. C++ presents new classes, objects, and data structures which can all be effectively used for building exploitation primitives. In this post, we'll look at corrupting the std::string class and see what specific primitives we can obtain. std::string We note that the object stored in memory for a basic string consists firstly of the backing pointer to the string contents. Se
Read more

C++ Memory Corruption (std::vector) - part 2

Summary This is the 2nd part of the C++ memory corruption series*. In this post, we'll look at corrupting the std::vector class in Linux and see what exploitation primitives we can gain. We'll see that we can build arbitrary read/write primitives. * https://blog.infosectcbr.com.au/2020/08/c-memory-corruption-part-1.html   Author: Dr Silvio Cesare Introduction C++ is a common language for memory corruption. However, there is much more literature on exploiting C and not C++ programs. C++ presents new classes, objects, and data structures which can all be effectively used for building exploitation primitives.  In this post, we'll look at the std::vector class and see what specific primitives we can obtain.  Let's start by looking at /usr/include/c++/bits/stl_vector.h namespace std _GLIBCXX_VISIBILITY ( default ) { _GLIBCXX_BEGIN_NAMESPACE_VERSION _GLIBCXX_BEGIN_NAMESPACE_CONTAINER /// See bits/stl_deque.h's _Deque_base for an explanation. template < typename
Read more