lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <BCF8DE29-3744-4306-A28F-21D48761D61F@gmail.com>
Date: Fri, 6 Apr 2018 18:18:13 -0700
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: keliikoa kirland <keliikoakirland@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] new email;
	gw22067@...mail.com | Double-free segfault bypass

[Redirecting back onto fulldisclosure]

It’s still not clear to me what vulnerability you’re describing. You do two mmaps and, when later double freeing memory, don’t get a segfault. But double freeing is already a (often exploitable) bug. If this is really a vulnerability, please describe a realistic exploit that your PoC is emulating and the impact (is this Linux only? What libc/kernel versions? Have you reported this to a maintainer or linux-kernel@...r?) of this issue.

> On Apr 5, 2018, at 11:40, keliikoa kirland <keliikoakirland@...il.com> wrote:
> 
> Hey I'm back ;PpPpP
> It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212
> 
> 	/*
> 	 * Check against rlimit here. If this check is done later after the test
> 	 * of oldbrk with newbrk then it can escape the test and let the data
> 	 * segment grow beyond its set limit the in case where the limit is
> 	 * not page aligned -Ram Gupta
> 	 */
> 	if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
> 			      mm->end_data, mm->start_data))
> 		goto out;
> 
> 	newbrk = PAGE_ALIGN(brk);
> 	oldbrk = PAGE_ALIGN(mm->brk);
> 	if (oldbrk == newbrk)
> 		goto set_brk;
> 
> 
> albeit.
> 
> On 27 March 2018 at 12:06, Matthew Fernandez <matthew.fernandez@...il.com> wrote:
> Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.
> 
> > On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland@...il.com> wrote:
> >
> > Tested on: Ubuntu 14.04.5 LTS
> > Version: 4.04
> >
> > On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland@...il.com>
> > wrote:
> >
> >> Details from old email:
> >> =========================================
> >> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
> >> double-free heap corruption segfault; using mmap() disables that segfault
> >> and allows more than 1 free on any malloc'd/mmap'd variable. You can free
> >> `x` 4+ times and it'll still exit cleanly. brk() has already been patched;
> >> which is why i put // 1day next to it; same misalignment/technique to
> >> mmap() which is still vuln/can be abused to write use-after-free's without
> >> having the need to bypass heap corruption segfaults."  brk() was equal to
> >> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
> >> now just mmap() --> free() --> free()
> >>
> >> PoC:
> >> =========================================
> >> joe@...ntu:~$ cat test1.c
> >> #include <stdio.h>
> >> #include <stdlib.h>
> >> #include <string.h>
> >> #include <sys/mman.h>
> >>
> >> int main(void){
> >>    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> >> MAP_ANONYMOUS, 0, 0);
> >>
> >>    void *z = malloc(p);
> >>    free(z);
> >>    free(z);
> >> }
> >>
> >> joe@...ntu:~$ ./test1
> >> *** Error in `./test1': double free or corruption (top): 0x08332008 ***
> >> Aborted (core dumped)
> >>
> >> joe@...ntu:~$ cat test1.c
> >> #include <stdio.h>
> >> #include <stdlib.h>
> >> #include <string.h>
> >> #include <sys/mman.h>
> >>
> >> int main(void){
> >>    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> >> MAP_ANONYMOUS, 0, 0);
> >>    p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> >> MAP_ANONYMOUS, 0, 0);
> >>
> >>    void *z = malloc(p);
> >>    free(z);
> >>    free(z);
> >> }
> >>
> >> joe@...ntu:~$ ./test1
> >> joe@...ntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
> >>
> >> References/Credits/Greetz:
> >> =========================================
> >> ac1db1tch3z koa
> >> https://github.com/x0r1
> >> http://steamcommunity.com/profiles/76561198333157214/
> >>
> >>
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists