Glibc Adventures: The Forgotten Chunks

28 Jan 2015

This white paper showcases the exploitation of heap overflows in Linux systems, often considered hard or impossible to exploit with current state-of-the-art mitigation technologies in place. 

Recent work from Google Project Zero demonstrates that corrupting heap structures with a single NUL byte can still lead to local arbitrary code execution on 32-bit binaries. This paper presents several techniques that can be used to exploit limited heap overflows in the general case, i.e. independently from the architecture and mitigation techniques in use, by forcing the allocator to produce overlapping chunks in applications where the user can predict and control the shape of heap areas. We apply this technique to a seemingly unexploitable heap overflow found in commercial software and demonstrate that for the right applications, exploits bypassing all modern mitigation techniques such as ASLR, PIR or full RELRO can be constructed. 

CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326