Newlib Unlink Heap Exploitation


In this paper, I introduce the reader to a heap metadata corruption against the latest version of newlib. This allocator is used in embedded systems. The unlink attack on heaps was first introduced by Solar Designer in the year 2000 and was the first generic heap exploitation technique made public. The same attack is possible in modern day uClibc and the attack in newlib is almost identical. In the unlink technique, an attacker corrupts the bk and fd pointers of a free chunk. In a subsequent malloc that recycles this chunk, the chunk is unlinked from its freelist via pointer manipulations. This inadvertently allows an attacker to craft a write-what-where primitive and write what they want where they want in memory. The unlink attack name stemmed from the fact that the unlink macro is the code that performs the pointer manipulation to unlink the free chunk. This macro is unchanged in newlib and is also called unlink.

Comments

  1. I've read the book and really enjoyed Google it.

    ReplyDelete
  2. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Goassignmenthelp is the world's leading provider of assignment help. We have an exclusive services for assignment help Australia for students. Goassignmenthelp began its online assignment help online academic services college essay writing service with the desire to serve students struggling in almost any subject with the support assignment help in sydney of our professional assignment experts. Each of these academic writers possesses online apa referencing extensive knowledge and expertise.

    ReplyDelete

Post a Comment

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Linux Kernel Stack Smashing

Sudoedit heap overflow