Posts

Showing posts from March, 2020

InfoSect Coronavirus (COVID-19) Announcement

InfoSect prides itself in providing high-quality, in person training with low student numbers per class and specialised instruction from our trainers. However, with the current Coronavirus pandemic sweeping the world, we understand this is not feasible for the near to medium term. During this time InfoSect is planning to run live, interactive training courses. What does this mean for students? Students will be provided a link the day before training starts to log into a virtual classroom. The virtual classroom will include a live stream of Silvio teaching the course. Students will be able to ask questions and engage live with Silvio during the course. Lab guides will be provided in soft copy instead of hard copy. Hands-on labs will be facilitated remotely, with the same hands-on, interactive challenges. InfoSect swag will be posted following the course. Requirements to attend: A place to study. An Internet connection. A laptop with a browser and capable of SSH. A m

Heap Exploitation in Chrome's PartitionAlloc - part 1

Image
Dr Silvio Cesare @silviocesare Summary PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive. Introduction In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer. I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to. https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html https://blog.infos