lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <BCF8DE29-3744-4306-A28F-21D48761D61F@gmail.com> Date: Fri, 6 Apr 2018 18:18:13 -0700 From: Matthew Fernandez <matthew.fernandez@...il.com> To: keliikoa kirland <keliikoakirland@...il.com>, fulldisclosure@...lists.org Subject: Re: [FD] new email; gw22067@...mail.com | Double-free segfault bypass [Redirecting back onto fulldisclosure] It’s still not clear to me what vulnerability you’re describing. You do two mmaps and, when later double freeing memory, don’t get a segfault. But double freeing is already a (often exploitable) bug. If this is really a vulnerability, please describe a realistic exploit that your PoC is emulating and the impact (is this Linux only? What libc/kernel versions? Have you reported this to a maintainer or linux-kernel@...r?) of this issue. > On Apr 5, 2018, at 11:40, keliikoa kirland <keliikoakirland@...il.com> wrote: > > Hey I'm back ;PpPpP > It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212 > > /* > * Check against rlimit here. If this check is done later after the test > * of oldbrk with newbrk then it can escape the test and let the data > * segment grow beyond its set limit the in case where the limit is > * not page aligned -Ram Gupta > */ > if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk, > mm->end_data, mm->start_data)) > goto out; > > newbrk = PAGE_ALIGN(brk); > oldbrk = PAGE_ALIGN(mm->brk); > if (oldbrk == newbrk) > goto set_brk; > > > albeit. > > On 27 March 2018 at 12:06, Matthew Fernandez <matthew.fernandez@...il.com> wrote: > Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways. > > > On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland@...il.com> wrote: > > > > Tested on: Ubuntu 14.04.5 LTS > > Version: 4.04 > > > > On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland@...il.com> > > wrote: > > > >> Details from old email: > >> ========================================= > >> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a > >> double-free heap corruption segfault; using mmap() disables that segfault > >> and allows more than 1 free on any malloc'd/mmap'd variable. You can free > >> `x` 4+ times and it'll still exit cleanly. brk() has already been patched; > >> which is why i put // 1day next to it; same misalignment/technique to > >> mmap() which is still vuln/can be abused to write use-after-free's without > >> having the need to bypass heap corruption segfaults." brk() was equal to > >> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit; > >> now just mmap() --> free() --> free() > >> > >> PoC: > >> ========================================= > >> joe@...ntu:~$ cat test1.c > >> #include <stdio.h> > >> #include <stdlib.h> > >> #include <string.h> > >> #include <sys/mman.h> > >> > >> int main(void){ > >> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > >> MAP_ANONYMOUS, 0, 0); > >> > >> void *z = malloc(p); > >> free(z); > >> free(z); > >> } > >> > >> joe@...ntu:~$ ./test1 > >> *** Error in `./test1': double free or corruption (top): 0x08332008 *** > >> Aborted (core dumped) > >> > >> joe@...ntu:~$ cat test1.c > >> #include <stdio.h> > >> #include <stdlib.h> > >> #include <string.h> > >> #include <sys/mman.h> > >> > >> int main(void){ > >> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > >> MAP_ANONYMOUS, 0, 0); > >> p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > >> MAP_ANONYMOUS, 0, 0); > >> > >> void *z = malloc(p); > >> free(z); > >> free(z); > >> } > >> > >> joe@...ntu:~$ ./test1 > >> joe@...ntu:~$ bl1ng bl1ng n1gg4z ;PppPpP > >> > >> References/Credits/Greetz: > >> ========================================= > >> ac1db1tch3z koa > >> https://github.com/x0r1 > >> http://steamcommunity.com/profiles/76561198333157214/ > >> > >> > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > https://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists