Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Envoy is a proxy used at Google. Envoy is typically very secure, as it is written in C++, has fuzzing architecture put in place, has 97% test coverage and has Address Sanitization in place.

This vulnerability was first discovered via their fuzzing setup with ClusterFuzz. This appears to be a pretty straight forward buffer overflow on the heap. The bug itself was in the proxying of HTTP/2 to a HTTP/1 backend.

Envoy uses tcmalloc for the purposes of heap allocation. While heap grooming, they discovered a way to use the overflow to overwrite vtable pointers (perfect!). However, HTTP/2 only allows for print ASCII characters, removing the possibility of pointer rewriting.

Because of the issue explained above, they had a new plan for the proxy: edit the ending location of the request after validation. With proper heap grooming, this could be used for a proxy bypass.

At the end of the article, they mention some mitigations for these types of bugs in general:

• Using Scudo for a heap allocation because it has additional heap overflow protections
• Remove all uses of memcpy in the code base

Overall, it was a wonderful article that helped me move away from the 5 option C program in pwn challenges.