About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

House of IO - Bypass for GLibC 2.32 Mitigations- 224

awaraucomPosted 5 Years Ago
  • The mitigations being added to GLibC for single linked lists (tcache and fastbin) was quite substantial! It added pointer mangling to make overwriting the fd pointers much more difficult. In most cases, a heap memory leak or a terrible brute force must be done to bypass the protections.
  • TCache is the main focus of this bypass. To understand the bypass, the TCache must be understood. TCache has four fields:
    1. prev_size: Size of the previous chunk, if the previous chunk is not in use.
    2. size: Size of the current chunk, with the last 3 bits being used for metadata.
    3. fd: Ptr to the next chunk in the linked list.
    4. key: Double free protection. The value is set to the beginning of the TCache.
  • Finally, the TCache is actually stored on the heap. With the above knowledge, the exploits should make sense. There are two main arrays used for storage: count and pointers. The count array holds a list of the amount of items in each linked list. The pointers array is an index of head pointers to linked lists.
  • The article above explains a way to bypass the pointer mangling altogether though. The bin (head of the linked list) is not mangled. So, if we could alter the bin, it would be possible to bypass the pointer mangling.
  • First (the most obvious) way is to have a negative indexing bug that allows for the ability to write backwards in memory. By editing the two important fields (count and linked list head) it is possible to write the entry for the head of a tcache bin.
  • The second and third bypasses are all about abusing the key field of the TCache, which is a pointer to the beginning of the TCache. The requirement is that there is a use-after-free (UAF) on the chunk. Then, the second index (8 byte offset on 64-bit) stores a pointer.
  • If the second index is then dereferenced, it will be pointing to the TCache! With an offset to this pointer, we can write to the count array and the pointer array.
  • The third one is very similar. Instead of using the pointer to access the TCache, we could also free the pointer. Now, the very beginning of the TCache has been added as a valid chunk to a bin. When another chunk is allocated, then it will point to the beginning of the TCache, allowing for edits. This is similar to a House of Spirit attack.
  • This was an interesting bypass for the added mitigations! It requires a very specific set of criteria but may be useful :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed