lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 Apr 2018 11:04:49 -0400
From: Justin Ferguson <justin@...c.co>
To: Matthew Fernandez <matthew.fernandez@...il.com>
Cc: keliikoa kirland <keliikoakirland@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] new email;
	gw22067@...mail.com | Double-free segfault bypass

Well, your PoC is sorta nonsense, you're calling malloc() with a
pointer parameter that /might/ be at 0x1000/0x2000.

It probably makes sense to ask yourself how traditional double free's
were exploited-- it depended upon the management of the linked lists
which will be absent in mmap backed memory.

I'd have to look at the munmap code again, but its likely that no
double free even occurs.



On Fri, Apr 6, 2018 at 9:18 PM, Matthew Fernandez
<matthew.fernandez@...il.com> wrote:
> [Redirecting back onto fulldisclosure]
>
> It’s still not clear to me what vulnerability you’re describing. You do two mmaps and, when later double freeing memory, don’t get a segfault. But double freeing is already a (often exploitable) bug. If this is really a vulnerability, please describe a realistic exploit that your PoC is emulating and the impact (is this Linux only? What libc/kernel versions? Have you reported this to a maintainer or linux-kernel@...r?) of this issue.
>
>> On Apr 5, 2018, at 11:40, keliikoa kirland <keliikoakirland@...il.com> wrote:
>>
>> Hey I'm back ;PpPpP
>> It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212
>>
>>       /*
>>        * Check against rlimit here. If this check is done later after the test
>>        * of oldbrk with newbrk then it can escape the test and let the data
>>        * segment grow beyond its set limit the in case where the limit is
>>        * not page aligned -Ram Gupta
>>        */
>>       if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
>>                             mm->end_data, mm->start_data))
>>               goto out;
>>
>>       newbrk = PAGE_ALIGN(brk);
>>       oldbrk = PAGE_ALIGN(mm->brk);
>>       if (oldbrk == newbrk)
>>               goto set_brk;
>>
>>
>> albeit.
>>
>> On 27 March 2018 at 12:06, Matthew Fernandez <matthew.fernandez@...il.com> wrote:
>> Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.
>>
>> > On 26 Mar 2018, at 00:26, keliikoa kirland <keliikoakirland@...il.com> wrote:
>> >
>> > Tested on: Ubuntu 14.04.5 LTS
>> > Version: 4.04
>> >
>> > On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland@...il.com>
>> > wrote:
>> >
>> >> Details from old email:
>> >> =========================================
>> >> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
>> >> double-free heap corruption segfault; using mmap() disables that segfault
>> >> and allows more than 1 free on any malloc'd/mmap'd variable. You can free
>> >> `x` 4+ times and it'll still exit cleanly. brk() has already been patched;
>> >> which is why i put // 1day next to it; same misalignment/technique to
>> >> mmap() which is still vuln/can be abused to write use-after-free's without
>> >> having the need to bypass heap corruption segfaults."  brk() was equal to
>> >> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
>> >> now just mmap() --> free() --> free()
>> >>
>> >> PoC:
>> >> =========================================
>> >> joe@...ntu:~$ cat test1.c
>> >> #include <stdio.h>
>> >> #include <stdlib.h>
>> >> #include <string.h>
>> >> #include <sys/mman.h>
>> >>
>> >> int main(void){
>> >>    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> >> MAP_ANONYMOUS, 0, 0);
>> >>
>> >>    void *z = malloc(p);
>> >>    free(z);
>> >>    free(z);
>> >> }
>> >>
>> >> joe@...ntu:~$ ./test1
>> >> *** Error in `./test1': double free or corruption (top): 0x08332008 ***
>> >> Aborted (core dumped)
>> >>
>> >> joe@...ntu:~$ cat test1.c
>> >> #include <stdio.h>
>> >> #include <stdlib.h>
>> >> #include <string.h>
>> >> #include <sys/mman.h>
>> >>
>> >> int main(void){
>> >>    void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> >> MAP_ANONYMOUS, 0, 0);
>> >>    p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
>> >> MAP_ANONYMOUS, 0, 0);
>> >>
>> >>    void *z = malloc(p);
>> >>    free(z);
>> >>    free(z);
>> >> }
>> >>
>> >> joe@...ntu:~$ ./test1
>> >> joe@...ntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
>> >>
>> >> References/Credits/Greetz:
>> >> =========================================
>> >> ac1db1tch3z koa
>> >> https://github.com/x0r1
>> >> http://steamcommunity.com/profiles/76561198333157214/
>> >>
>> >>
>> >
>> > _______________________________________________
>> > Sent through the Full Disclosure mailing list
>> > https://nmap.org/mailman/listinfo/fulldisclosure
>> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists