Recent work from Google Project Zero demonstrates that corrupting heap structures with a single NUL byte can still lead to local arbitrary code execution on 32-bit binaries. This paper presents several techniques that can be used to exploit limited heap overflows in the general case, i.e. independently from the architecture and mitigation techniques in use, by forcing the allocator to produce overlapping chunks in applications where the user can predict and control the shape of heap areas. We apply this technique to a seemingly unexploitable heap overflow found in commercial software and demonstrate that for the right applications, exploits bypassing all modern mitigation techniques such as ASLR, PIR or full RELRO can be constructed.
Glibc Adventures: The Forgotten Chunks
This white paper showcases the exploitation of heap overflows in Linux systems, often considered hard or impossible to exploit with current state-of-the-art mitigation technologies in place.