Full Disclosure mailing list archives
Re: new email; gw22067 () hotmail com | Double-free segfault bypass
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Fri, 6 Apr 2018 18:18:13 -0700
[Redirecting back onto fulldisclosure] It’s still not clear to me what vulnerability you’re describing. You do two mmaps and, when later double freeing memory, don’t get a segfault. But double freeing is already a (often exploitable) bug. If this is really a vulnerability, please describe a realistic exploit that your PoC is emulating and the impact (is this Linux only? What libc/kernel versions? Have you reported this to a maintainer or linux-kernel@vger?) of this issue.
On Apr 5, 2018, at 11:40, keliikoa kirland <keliikoakirland () gmail com> wrote: Hey I'm back ;PpPpP It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212 /* * Check against rlimit here. If this check is done later after the test * of oldbrk with newbrk then it can escape the test and let the data * segment grow beyond its set limit the in case where the limit is * not page aligned -Ram Gupta */ if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk, mm->end_data, mm->start_data)) goto out; newbrk = PAGE_ALIGN(brk); oldbrk = PAGE_ALIGN(mm->brk); if (oldbrk == newbrk) goto set_brk; albeit. On 27 March 2018 at 12:06, Matthew Fernandez <matthew.fernandez () gmail com> wrote: Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland () gmail com> wrote: Tested on: Ubuntu 14.04.5 LTS Version: 4.04 On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland () gmail com> wrote:Details from old email: ========================================= "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a double-free heap corruption segfault; using mmap() disables that segfault and allows more than 1 free on any malloc'd/mmap'd variable. You can free `x` 4+ times and it'll still exit cleanly. brk() has already been patched; which is why i put // 1day next to it; same misalignment/technique to mmap() which is still vuln/can be abused to write use-after-free's without having the need to bypass heap corruption segfaults." brk() was equal to mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit; now just mmap() --> free() --> free() PoC: ========================================= joe@ubuntu:~$ cat test1.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> int main(void){ void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); void *z = malloc(p); free(z); free(z); } joe@ubuntu:~$ ./test1 *** Error in `./test1': double free or corruption (top): 0x08332008 *** Aborted (core dumped) joe@ubuntu:~$ cat test1.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> int main(void){ void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); void *z = malloc(p); free(z); free(z); } joe@ubuntu:~$ ./test1 joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP References/Credits/Greetz: ========================================= ac1db1tch3z koa https://github.com/x0r1 http://steamcommunity.com/profiles/76561198333157214/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: new email; gw22067 () hotmail com | Double-free segfault bypass Matthew Fernandez (Apr 10)
- Re: new email; gw22067 () hotmail com | Double-free segfault bypass Justin Ferguson (Apr 13)