Heap Exploitation in Chrome's PartitionAlloc - part 1

Dr Silvio Cesare
@silviocesare


Summary

PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive.

Introduction

In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer.

I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to.

https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
https://blog.infosectcbr.com.au/2019/12/freelist-heap-exploitation-on-docker.html
https://blog.infosectcbr.com.au/2019/12/attacks-on-tcmalloc-heap-allocator.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/11/diet-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html 

ParitionAlloc Freelist Poisoning

PartitionAlloc, like many allocators, maintains freelists. It keeps the pointers used in these freelist in the payload area of a free chunk of memory. The main difference between this approach and the typical freelist implementation, is that PartitionAlloc stores the pointer in big endian format on x86 or other little endian architectures, and as a bitwise complement on big endian architectures. Here is the code:

ALWAYS_INLINE PartitionFreelistEntry* partitionFreelistMask(PartitionFreelistEntry* ptr)
{
    // We use bswap on little endian as a fast mask for two reasons:
    // 1) If an object is freed and its vtable used where the attacker doesn't
    // get the chance to run allocations between the free and use, the vtable
    // dereference is likely to fault.
    // 2) If the attacker has a linear buffer overflow and elects to try and
    // corrupt a freelist pointer, partial pointer overwrite attacks are
    // thwarted.
    // For big endian, similar guarantees are arrived at with a negation.
#if CPU(BIG_ENDIAN)
    uintptr_t masked = ~reinterpret_cast<uintptr_t>(ptr);
#else
    uintptr_t masked = bswapuintptrt(reinterpret_cast<uintptr_t>(ptr));
#endif
    return reinterpret_cast<PartitionFreelistEntry*>(masked);
}

The inline comment describes this "mitigation". It can prevent trivial off-by-1's and the like. However, if an attacker is able to overwrite the entire freelist pointer, then they can simply apply the correct transformation of the pointer.

I have moved ParitionAlloc out of Chrome and made it a standalone library for ease of testing. Here is an example of the freelist poisoning attack using this library.


And when we run that, we are able to gain an arbitrary write to foo and change it to 0x41414141424242. The attack works.

Conclusion

In this blog post, I demonstrated the classic freelist poisoning attack against PartitionAlloc. This allocator has a number of mitigations and hardening strategies. However, attacks still exist. In future blog posts I will talk about other attacks against this allocator.

Comments

  1. The Assignment House10 April 2020 at 00:04

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Online Assignment Help24 April 2020 at 04:54

    This comment has been removed by a blog administrator.

    ReplyDelete
  3. Max Willor30 April 2020 at 00:18

    This comment has been removed by a blog administrator.

    ReplyDelete
  4. mariamith30 April 2020 at 00:28

    Anyone can attempt writing on your behalf, however, the question is would you pay someone to do it for you without checking their credibility? Our firm has established itself as the most trustworthy assignment help firm in Australia and globally. Join these thousands of students and achieve high distinction in each and every one of your college tasks. This is the main reason why most students search for online assignment help over the internet and choose only the most proficient and trusted academic writing experts. So, if you are searching for quality assignment help usa you can find it right here from the local experts.

    ReplyDelete
  5. meldaresearch18 May 2020 at 03:37

    The ultimate goal of e-commerce assignment writing services is to provide E-commerce Essay Writing Services and e-commerce research paper services since most business assignment writing service students lack time to complete their custom e-commerce homework writing services.

    ReplyDelete
  6. meldaresearch18 May 2020 at 03:56

    It is important for cultural studies coursework writing service students to seek Cultural Studies Writing Services from a reputable cultural studies assignment writing service provider for their cultural studies research paper services.

    ReplyDelete
  7. get assignment help online18 May 2020 at 04:17

    Worried about the assignment which should be submitted within the deadline ? Pondering employing somebody who can finish it? Get Assignment Help Online can assist you with your Assignment Help . getassignmenthelponline.com Assignment Help recognizable assignment help service providers in the industry who is known for helping quantities of understudies in their schoolwork and assignments.
    Programming Assignment Help
    programming language assignment help
    best programming assignment help website
    online programming assignment help

    ReplyDelete
  8. Term Paper Writing Services25 June 2020 at 21:17

    Professional History Research Paper Services is very popular for students in search for history essay writing help services and history assignment writing services.

    ReplyDelete
  9. Term Paper Writing Services25 June 2020 at 21:18

    There are many Online Coursework writing services and Help with Coursework Writing services to choose from for those stuck with their psychology coursework writing services and nursing coursework writing help services.

    ReplyDelete
  10. The Assignment House14 September 2020 at 01:54

    Excellent information on your Article, thank you for taking the time to share with us such a nice article. Amazing insight you have on this, it's nice to find a website that details so much information.
    assignment help 4 me online
    paper check
    order essay writing

    ReplyDelete
  11. Me Baqer15 September 2020 at 01:49

    These are some of the most top qualified academicians with most of them having a Ph.D. degree and remaining having a master’s and Ph.D. degree in their respective fields.
    cheap assignments online

    ReplyDelete
  12. Maria Wilson18 September 2020 at 02:36

    I suggest all members choose assignment help Australia for the best guideline in your academia. The perfect and expert assistant your requirement and learning assignment project by the university.
    business law case study writer online
    help for case  study assignment
    help with Matlab assignment

    ReplyDelete

Post a comment

Popular posts from this blog

Linux Kernel Stack Smashing

Dr Silvio Cesare @silviocesare   Summary In this blog post I’ll discuss how to exploit the Linux kernel via a stack smashing attack. I’ll be attacking the latest kernel version. I’ll also introduce a vulnerable device driver that I wrote so that I can focus on the exploitation development and not the vulnerability research.  A number of mitigations were introduced in recent years, such as Kernel Page Table Isolation and control register pinning, which makes some previous techniques obsolete. Techniques like ret2usr no longer work. But regardless, I am able to privesc and gain a rootshell. An overview of the attack The attack can be split up into a number of stages: ·         Defeat KASLR ·         Leak the stack canary ·         Stack smash and overwrite the canary and return address to trigger a ROP chain ·         ROP to change the current creds to UID 0 ·         ROP into the code that returns from a system call and continues execution i
Read more

Pointer Compression in V8

Image
Syed Faraz Abrar @farazsth98   Summary In this blog post, I will provide some details on how the Chromium developers implemented pointer compression in V8. I will also talk about what this means from an exploit development perspective. Introduction I’ve been an intern at InfoSect for the past couple of weeks now, and in this time, I’ve had to do a bunch of security related research into both V8 and Spidermonkey. One of the things that I spent a short amount of my time on was pointer compression in V8. I hadn’t heard of the term at all until Bruno Keith ( @bkth_ ) mentioned it on twitter some time in December last year. The V8 developers also made a blog post to celebrate V8 v8.0 where they mentioned that implementing pointer compression had allowed them to save up to 40% in usage of heap memory! That’s a big improvement, so let’s take a look at what pointer compression is and what it means from an exploit developer’s perspective. Disclaimer This is not intended to
Read more