Sunday, 8 December 2019

Freelist Heap Exploitation on Docker Alpine Linux Images

Introduction

In this blog post, I'll look at 2 attacks on Alpine Linux distributions, which is common with Docker images. Both attacks will use freelist poisoning against the heap allocator. The difference is that the first attack will look at uClibc's heap allocator which is present in earlier releases of Alpine, and the second attack will look at the current version of Alpine, which uses musl libc.

I have written at great length about freelist poisoning, as seen in:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/12/attacks-on-tcmalloc-heap-allocator.html

The main feature of freelist poisoning is that an attacker is able to make malloc return an arbitrary pointer. Combine with appropriate application logic, this can enable an arbitrary write to memory.

uClibc Freelist Poisoning

Here is freelist poisoning on uClibc.








Musl Freelist Poisoning

Here is freelist poisoning on the latest Alpine distribution, which uses musl libc. It is almost identical to the earlier freelist poisoning, with minor variations.


Conclusion

In this blog post I demonstrated 2 attacks on the heap allocators used in the Alpine Linux distribution. Other attacks are possible and will be examined in future posts.

If you are interested in exploitation, consider InfoSect's 2, 3, and 5-day training on Heap Exploitation https://www.eventbrite.com.au/e/linux-heap-exploitation-tickets-48997946176


Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...