| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Mar 2018 12:06:59 -0700
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: keliikoa kirland <keliikoakirland@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] new email;
gw22067@...mail.com | Double-free segfault bypass
Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.
> On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland@...il.com> wrote:
>
> Tested on: Ubuntu 14.04.5 LTS
> Version: 4.04
>
> On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland@...il.com>
> wrote:
>
>> Details from old email:
>> =========================================
>> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
>> double-free heap corruption segfault; using mmap() disables that segfault
>> and allows more than 1 free on any malloc'd/mmap'd variable. You can free
>> `x` 4+ times and it'll still exit cleanly. brk() has already been patched;
>> which is why i put // 1day next to it; same misalignment/technique to
>> mmap() which is still vuln/can be abused to write use-after-free's without
>> having the need to bypass heap corruption segfaults." brk() was equal to
>> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
>> now just mmap() --> free() --> free()
>>
>> PoC:
>> =========================================
>> joe@...ntu:~$ cat test1.c
>> #include <stdio.h>
>> #include <stdlib.h>
>> #include <string.h>
>> #include <sys/mman.h>
>>
>> int main(void){
>> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> MAP_ANONYMOUS, 0, 0);
>>
>> void *z = malloc(p);
>> free(z);
>> free(z);
>> }
>>
>> joe@...ntu:~$ ./test1
>> *** Error in `./test1': double free or corruption (top): 0x08332008 ***
>> Aborted (core dumped)
>>
>> joe@...ntu:~$ cat test1.c
>> #include <stdio.h>
>> #include <stdlib.h>
>> #include <string.h>
>> #include <sys/mman.h>
>>
>> int main(void){
>> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> MAP_ANONYMOUS, 0, 0);
>> p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> MAP_ANONYMOUS, 0, 0);
>>
>> void *z = malloc(p);
>> free(z);
>> free(z);
>> }
>>
>> joe@...ntu:~$ ./test1
>> joe@...ntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
>>
>> References/Credits/Greetz:
>> =========================================
>> ac1db1tch3z koa
>> https://github.com/x0r1
>> http://steamcommunity.com/profiles/76561198333157214/
>>
>>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists