Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

All the way back in 2006, a vulnerability was found in the Apache Module mod_auth_kerb. The ISC BIND server (most popular DNS server on the internet) shared the vulnerable code in the SPNEGO component but was the patch was never merged.

At the beginning of a function, an allocation is used in order to get heap memory. After this, two indexs are set but only one subtraction on the length (more of a max size) variable occurs. Because of this off-by-one error, a single integer overflow occurs (4 bytes).

The article includes a description on how this could be exploited on GLibC 2.27. As a note, heap grooming in quite easy, as we control the amount of iterations on a loop and can free chunks at will.

To get an arbitrary write, the following is done:

• Use the buffer overflow to overwrite the chunk size of the next chunk.
• Allocate & free the corrupted chunk on the next request. Now, we have a chunk overlapping with a free chunk in a different tcache bin.
• Overwrite the 'fd' pointer of the free tcache chunk to set it to an arbitrary value. Once this is allocated, we will write to any location we want!

Because all Linux mitigations are enabled by default for BIND, we need to defeat them. The author includes a potential way to get a leak via a tcache dupping technique but it was unsuccessful because malloc would eventually abort, resetting the randomness.

This article rediscovers a 14 year old bug in a popular piece of software. This makes me wonder if there are other dependency issues in popular open source software that was never patched; the answer is probably yes!