aidielse/heap_exploitation_in_2020

Heap Exploitation in 2020

1. Introduction

2. ptmalloc2 Heap Overview

3. The Classical Era

   • The Original Poison Null Byte
     • Bugtraq Mailing List, October 1998
     • Widely considered unexploitable, but patched anyway.
   • 'Vudo Malloc Tricks' and 'Once Upon A Free'
     • Unlink and Frontlink Techniques
     • Phrack 57, August 2001
     • Fixed in late 2004
       • People mostly believed that the patch made killed the technique.
       • After a few years, people started exploiting a variant of the technique.
       • Modified version of the Unlink technique would be still be viable.
     • Trend of removing a technique with a patch, only for a variant of it to still be exploitable
   • Advanced Doug Lea's Malloc Exploits
     • Phrack 61, August 2003
   • Exploiting the Wilderness
     • Bugtraq Mailing List, February 2004
   • The Malloc Maleficarum
     • Bugtraq Mailing list, October 2005
     • Revised version of House of Lore killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
     • House of Spirit still exploitable.
     • House of Force finally killed in glibc 2.29 in August 2018
   • The use of 'set_head' to Defeat The Wilderness
     • Phrack 64, May 2007
   • Yet Another free() Exploitation Technique
     • Phrack 66, November 2009
   • The Malloc Des-Maleficarum
     • Phrack 66, November 2009
   • The House of Lore: Reloaded
     • Phrack 67, November 2010

4. The Renaissance: CTFs cause Heap Exploitation to go 'Sicko Mode'

   • Unsafe Unlink, 2014 Edition
     • HITCON CTF, August 2014
     • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
   • Poison NULL byte, 2014 Edition
     • Google Project Zero, August 2014
     • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
   • Overlapping Chunks
     • Glibc Adventures - The Forgotten Chunks, February, 2015
   • House of Orange
     • HITCON CTF, October, 2016
     • "The attack vector of this technique was removed by changing the behavior of malloc_printerr in glibc 2.26

• House of Einherjar
  • Code Blue Conference, November 2016
  • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
• Unsorted Bin Free Chunk Arbitrary Pointer Leak
  • 0CTF, November 2016
  • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
• Unsorted Bin Free Chunk Arbitrary Write
  • Couldn't Find Origin
  • tcache introduces additional constraints
• House of Rabbit
  • Hatena Blog, September 2017
  • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
• Large Bin Attack
  • 0CTF, November 2018
  • Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.

5. The Dark Age: The Introduction of tcache
   • Introduced in glibc 2.26
     • Killed a lot of techniques, introduced some new avenues for attack.
   • Internals
   • tcache dup
     • Killed in glibc version 2.28
6. Modern Techniques
   • Overlapping Chunks 2: Nonadjacent Free Chunk Consolidation Attack
     • New Exploit Methods against Ptmalloc of GLIBC, 2018
   • fastbin dup
   • fastbin dup into stack
   • fastbin dup consolidate
   • tcache Poisoning
   • tcache House of Spirit
   • House of Botcake
   • House of Fun
     • PoC || GTFO 18, 2018
   • House of Roman
     • DEFCON 26, April 2018
7. Archeap Fuzzer
8. Conclusions
9. Works Cited

• The Malloc Maleficarum
• Shellphish how2heap
• ptmalloc fanzine
• Vudo Malloc Tricks (unlink, frontlink)
• Once Upon A Free