Sunday, 8 December 2019

Attacks on the TCMalloc Heap Allocator

Introduction

TCMalloc is a well known heap allocator. It is written by Google. A number of attacks against tcmalloc are possible. A good presentation on tcmalloc was given in 2011, https://downloads.immunityinc.com/infiltrate-archives/webkit_heap.pdf

In this blog post, I'll give examples of 3 attacks, some of which are not well known.

Freelist Poisoning

In the following code, we make tc_malloc return an arbitrary pointer. This is another variant of freelist poisoning, which I have talked about at great length. For freelist poisoning details on other allocators, see:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html 


Double Free

In the following attack that exploits a double free in tcmalloc, we convert the double free into freelist poisoning and thus are able to obtain an arbitrary write primitive. I've talked about this attack before on other allocators. For example:

https://blog.infosectcbr.com.au/2019/07/linux-heap-glibc-227-double-free.html 
https://blog.infosectcbr.com.au/2019/08/linux-heap-fast-bin-double-free.html 
https://blog.infosectcbr.com.au/2019/09/linux-heap-glibc-tcache-double-free.html 


The code above takes advantage that a cycle has formed in the freelist. Thus, a malloc returns a buffer, but that buffer is start of the freelist. Thus, freelist poisoning can happen on the allocated buffer.

Overlapping Chunks

The final attack we'll look at in tcmalloc is creating overlapping chunks via a free of an arbitrary pointer. This attack is different to the house of spirit. Since tcmalloc is a bucket-style allocator, when a pointer is freed, it has to belong to a bucket. TCMalloc doesn't check for pointer alignment to that bucket's object before putting the pointer on the freelist. Thus, a non-aligned object pointer is in the freelist and is returned for that bucket of the appropriate object size. The pointer is unaligned but still services the object size, and thus overlaps the adjacent chunk.




Conclusion

In this blog post, I gave examples of 3 attacks against tcmalloc. These attacks can lead to a variety of exploitation primitives such as arbitrary writes to memory and overlapping chunks. They serve as useful tools in the exploit developers toolkit.

If you are interested in exploitation, consider InfoSect's 2, 3, and 5-day training on Heap Exploitation https://www.eventbrite.com.au/e/linux-heap-exploitation-tickets-48997946176

 

 

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...