In this
paper, I introduce the reader to a heap metadata corruption against the latest
version of newlib. This allocator is used in embedded systems. The unlink
attack on heaps was first introduced by Solar Designer in the year 2000 and was
the first generic heap exploitation technique made public. The same attack is possible
in modern day uClibc and the attack in newlib is almost identical. In the unlink
technique, an attacker corrupts the bk and fd pointers of a free chunk. In a
subsequent malloc that recycles this chunk, the chunk is unlinked from its
freelist via pointer manipulations. This inadvertently allows an attacker to
craft a write-what-where primitive and write what they want where they want in
memory. The unlink attack name stemmed from the fact that the unlink macro is
the code that performs the pointer manipulation to unlink the free chunk. This
macro is unchanged in newlib and is also called unlink.
Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland
Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...
-
InfoSect has always been committed to fostering diversity and inclusion within the cybersecurity industry, with a special focus on encourag...
-
Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor... -
Syed Faraz Abrar @farazsth98 Summary In this blog post, I will provide some details on how the Chromium developers implemente...
