Re: new email; gw22067 () hotmail com | Double-free segfault bypass

[Justin Ferguson <justin () asac co>]

Well, your PoC is sorta nonsense, you're calling malloc() with a
pointer parameter that /might/ be at 0x1000/0x2000.

It probably makes sense to ask yourself how traditional double free's
were exploited-- it depended upon the management of the linked lists
which will be absent in mmap backed memory.

I'd have to look at the munmap code again, but its likely that no
double free even occurs.



On Fri, Apr 6, 2018 at 9:18 PM, Matthew Fernandez
<matthew.fernandez () gmail com> wrote:
> [Redirecting back onto fulldisclosure]
>
> It’s still not clear to me what vulnerability you’re describing. You do two mmaps and, when later double freeing 
> memory, don’t get a segfault. But double freeing is already a (often exploitable) bug. If this is really a 
> vulnerability, please describe a realistic exploit that your PoC is emulating and the impact (is this Linux only? 
> What libc/kernel versions? Have you reported this to a maintainer or linux-kernel@vger?) of this issue.
>
> > On Apr 5, 2018, at 11:40, keliikoa kirland <keliikoakirland () gmail com> wrote:
> >
> > Hey I'm back ;PpPpP
> > It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212
> >
> >       /*
> >        * Check against rlimit here. If this check is done later after the test
> >        * of oldbrk with newbrk then it can escape the test and let the data
> >        * segment grow beyond its set limit the in case where the limit is
> >        * not page aligned -Ram Gupta
> >        */
> >       if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
> >                             mm->end_data, mm->start_data))
> >               goto out;
> >
> >       newbrk = PAGE_ALIGN(brk);
> >       oldbrk = PAGE_ALIGN(mm->brk);
> >       if (oldbrk == newbrk)
> >               goto set_brk;
> >
> >
> > albeit.
> >
> > On 27 March 2018 at 12:06, Matthew Fernandez <matthew.fernandez () gmail com> wrote:
> > Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating 
> > that a program can corrupt its own heap, which it can already do in numerous other ways.
> >
> > > On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland () gmail com> wrote:
> > >
> > > Tested on: Ubuntu 14.04.5 LTS
> > > Version: 4.04
> > >
> > > On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland () gmail com>
> > > wrote:
> > >
> > > > Details from old email:
> > > > =========================================
> > > > "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
> > > > double-free heap corruption segfault; using mmap() disables that segfault
> > > > and allows more than 1 free on any malloc'd/mmap'd variable. You can free
> > > > `x` 4+ times and it'll still exit cleanly. brk() has already been patched;
> > > > which is why i put // 1day next to it; same misalignment/technique to
> > > > mmap() which is still vuln/can be abused to write use-after-free's without
> > > > having the need to bypass heap corruption segfaults."  brk() was equal to
> > > > mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
> > > > now just mmap() --> free() --> free()
> > > >
> > > > PoC:
> > > > =========================================
> > > > joe@ubuntu:~$ cat test1.c
> > > > #include <stdio.h>
> > > > #include <stdlib.h>
> > > > #include <string.h>
> > > > #include <sys/mman.h>
> > > >
> > > > int main(void){
> > > >    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> > > > MAP_ANONYMOUS, 0, 0);
> > > >
> > > >    void *z = malloc(p);
> > > >    free(z);
> > > >    free(z);
> > > > }
> > > >
> > > > joe@ubuntu:~$ ./test1
> > > > *** Error in `./test1': double free or corruption (top): 0x08332008 ***
> > > > Aborted (core dumped)
> > > >
> > > > joe@ubuntu:~$ cat test1.c
> > > > #include <stdio.h>
> > > > #include <stdlib.h>
> > > > #include <string.h>
> > > > #include <sys/mman.h>
> > > >
> > > > int main(void){
> > > >    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> > > > MAP_ANONYMOUS, 0, 0);
> > > >    p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> > > > MAP_ANONYMOUS, 0, 0);
> > > >
> > > >    void *z = malloc(p);
> > > >    free(z);
> > > >    free(z);
> > > > }
> > > >
> > > > joe@ubuntu:~$ ./test1
> > > > joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
> > > >
> > > > References/Credits/Greetz:
> > > > =========================================
> > > > ac1db1tch3z koa
> > > > https://github.com/x0r1
> > > > http://steamcommunity.com/profiles/76561198333157214/
> > >
> > > _______________________________________________
> > > Sent through the Full Disclosure mailing list
> > > https://nmap.org/mailman/listinfo/fulldisclosure
> > > Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/