@st4g3r CODE BLUE 2016.10.20

$whoami @st4g3r  Newbie 

Cyber Defense Institute, Inc.

 CTF 



Player

TokyoWesterns

 My 

Pentester

interests include

Exploitation Glibc malloc (currently)

tl;dr  Heap

Exploitation(x64 Linux/Glibc malloc)  What's "House of Einherjar" ? 

This is a new heap exploitation technique that forces glibc malloc() to return a nearly-arbitrary address. 



User is ordinarily able to read/write to the address returned by malloc().

The concept is abusing consolidating chunks to prevent from the fragmentation. 

Off-by-one Overflow on well-sized chunk leads both control of prev_size and PREV_INUSE bit of the next chunk.

 Proof 

of Concept

http://ux.nu/6Rv6h

Overview  Glibc   

malloc

Chunk Bin Consolidating Chunks

 House    

of Einherjar

Flaw / Flow Demo Evaluation Countermeasures

Glibc malloc  "struct  

Chunk

malloc_chunk"

A memory block joins free list after being free()'ed. free()'ed block is treated as "struct malloc_chunk". 

The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size

Shared with previous chunk

(prev_size) size fd

User's space

bk

data + pads

(not used)

(a) in-used

(b) free

Fig. 1 struct malloc_chunk

SIZE_SZ =8byte

Glibc malloc

Chunk

Table 1: struct malloc_chunk TYPE

NAME

DESCRIPTION

INTERNAL_SIZE_T

prev_size

Size of previously contigous chunk (shared)

INTERNAL_SIZE_T

size

Size of itself and its current status

struct malloc_chunk

*fd

Pointer to forwardly linked chunk (free list).

struct malloc_chunk

*bk

Pointer to backwardly linked chunk (free list).

Glibc malloc  "struct  

Chunk

malloc_chunk"

A memory block joins free list after being free()'ed. It is ordinarily treated as "struct malloc_chunk". 

The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size

Shared with previous chunk

(prev_size) size

AM P

fd User's space

data + pads

Low 3 bits mean chunk status

(a) in-used

bk (not used) (b) free

Fig. 1 struct malloc_chunk

SIZE_SZ =8byte

Glibc malloc  "struct  

Chunk

malloc_chunk"

A memory block joins free list after being free()'ed. It is ordinarily treated as "struct malloc_chunk". 

The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size

Shared with previous chunk

(prev_size) size

AM P

SIZE_SZ =8byte

fd User's space



data + pads

Low 3 bits mean chunk status

(a) in-used

[P]REV_INUSE bk



IS_[M]MAPPED



NON_MAIN_[A]RENA

(not used) (b) free

Fig. 1 struct malloc_chunk

Glibc malloc A 

free chunk belongs to free list(bin).

Small bin 



Bin

MAX_FAST_SIZE < size < MIN_LARGE_SIZE  MAX_FAST_SIZE: 0xa0  MIN_LARGE_SIZE: 0x400

Unsorted bin The chunk which has just free()'ed temporarily belongs to this list.  There is no size restriction. 

Glibc malloc

Bin

bins

BK c (prev_size)

size bins[n-1]

fd

bins[n]

bk

AM P

bins[n+1] (not used) FD struct malloc_chunk Fig 2. Small bin free list

Glibc malloc

Consolidating Chunks

 It

can easily cause fragmentation owing to frequent allocations and vice versa. 

Let's consider consolidating the chunk being free()'ed and already free()'ed contiguous chunk.  

Previous contiguous. Next contiguous.

 PREV_INUSE  

bit

The flag for distinguishing whether the previous contiguous chunk is in used or not. This is the sole criterion for the consolidating.

Glibc malloc  Where  

Consolidating Chunks

is the flow of chunk consolidating?

Let's read glibc! free(p) 

__libc_free(p)  _int_free(av, p, have_lock) <- THIS!

(a) Entry point Fig. 3 _int_free()

(b) Consolidating point Fig. 3 _int_free()

(c) End point Fig. 3 _int_free()

Glibc malloc

Consolidating Chunks

(prev_size) size fd prev

bk (not used) p

(prev_size) size data + pads

0

p

size = p->size If not prev_inuse(p): prevsize = p->prev_size size += prevsize p += -(long)(prevsize)

(a) Test prev_inuse Fig. 4 Consolidating

Glibc malloc p

Consolidating Chunks

(prev_size) size fd prev

bk (not used) p

(prev_size) size data + pads

0

p

size = p->size If not prev_inuse(p): prevsize = p->prev_size size += prevsize p += -(long)(prevsize)

(b) Relocation Fig. 4 Consolidating

Glibc malloc

Consolidating Chunks

(prev_size)

(prev_size)

size

size

fd

fd prev

bk (not used) p

bk p

(prev_size) size data + pads

(not used)

0

p

(c) New chunk Fig. 4 Consolidating

p 1

House of Einherjar  Our   

Flaw / Flow

current knowledge

"p->prev_size" can be shared with previous contiguous chunk. PREV_INUSE bit of "p->size" decides whether the two contiguous chunks will be consolidated or not. New location of p depends on "p->prev_size". 

"p = chunk_at_offset(p, -((long)prevsize))"

House of Einherjar  Our   

current knowledge

"p->prev_size" can be shared with previous contiguous chunk. PREV_INUSE bit of "p->size" decides whether the two contiguous chunks will be consolidated or not. New location of p depends on "p->prev_size". 

"p = chunk_at_offset(p, -((long)prevsize))"

 Assumptions 

Flaw / Flow

for House of Einherjar

Three chunks. p0: the well-sized chunk(includes p1->prev_size).  p1: the small bin sized chunk.  (p2: the chunk to prevent from calling malloc_consolidate()). 



p0 will be Off-by-one(OBO) poisoned by NUL byte('¥0').

House of Einherjar

Flaw / Flow (prev_size) size p0 (used)

well-sized data (prev_size) size

data + pads

shared 1

p1 (used)

(a) Before overflowing Fig. 5 The House of Einherjar

House of Einherjar

Flaw / Flow (prev_size) size

data (prev_size) 1 size Overflown

data + pads

(b) Overflowing Fig. 5 The House of Einherjar

House of Einherjar

Flaw / Flow (prev_size) size p0 (free)

well-sized data 0xdeadbeef

size

data + pads

shared

'¥0'

p1 (used)

(c) After overflowing Fig. 5 The House of Einherjar

House of Einherjar

Flaw / Flow (prev_size) size p0 (free)

well-sized data

0xdeadbeef shared size = p1->size size '¥0' If not prev_inuse(p1): prevsize =data p1->prev_size p1 (used) + size += prevsize pads p1 += -(long)(prevsize)

(c) After overflowing Fig. 5 The House of Einherjar

House of Einherjar

Flaw / Flow (prev_size) size p0 (free)

well-sized data

0xdeadbeef shared size = p1->size size '¥0' If not prev_inuse(p1): prevsize =data 0xdeadbeef p1 (used) + size += prevsize pads p1 += -(long)(prevsize)

(c) After overflowing Fig. 5 The House of Einherjar

House of Einherjar  How  

For easy, we should make fd and bk members of fake chunk to point to the fake chunk's self.

We have to be able to calculate the diff between the target area and "p1". 



to enter into House of Einherjar

The well-sized chunk will occur OBO Overflow into the next chunk. We can put a fake chunk near the target area. 



Flaw / Flow

Leaking the two addresses is required.

We have to be able to fix "p1->size" broken by free()'ing. 

On the assumption that we can write to the fake chunk anytime.

Demo

http://ux.nu/6Rv6h

House of Einherjar

Evaluation

 Merit 

It depends on application's memory layout but only OBO Overflow is required



Huge malloc() like "House of Force" is not required.

 Demerit 



The target area will be limited on the location of the fake chunk. The leaking the two addresses is necessary.

 Evaluation:

"Not so bad"

House of Einherjar  "struct  

Countermeasures

malloc_chunk" is NOT good

"chunk->prev_size" SHOULD NOT be overwritable by normal writes to a chunk. It uses Boundary Tag Algorithm. (It is what it is!)

 Countermeasures? 

Address checking Is the consolidated chunk address valid?  Stack and heap address spaces are completely different.  It is possible to save a return address.  But that cannot be the solution for House of Einherjar to heap address space. 

Thank You For Your Attention! Any Questions?

House of Einherjar - GitHub

▫"struct malloc_chunk". ▫ A memory block joins free list after being free()'ed. ▫ free()'ed block is treated as "struct malloc_chunk". ▫ The size of a chunk is ...

1MB Sizes 10 Downloads 253 Views

Recommend Documents

Medieval House - GitHub
Page 1. Medieval House. Page 2. 1. 1x. 1x. 1x. 2x. 2x. 2x. 1x. 2x. 2x. 4x. 3x. 8x. 2x. 8x. 2x. 4x. 2x. 2x. 2x. 8x. 6x. 2x. 2x. 4x. 2x. 4x. 4x. 2x. 2x. 6x. 2x. 2x. 6x. 4x. 3x.

What makes a house valuable? - GitHub
A reproducible analysis for the Boston housing data. Outstanding student 1, Awesome student 2 and Great student 3. 31/11/16. This short report shows a simple ...

EAR Open House ES581.4 CAN-USB Device - GitHub
Properties – Signals association, range settings, units, value type etc. can be set. ▫ Edit and alignment options available. ❖ File Options. ▫ Create new instrument.

House of Representatives.pdf
Sign in. Loading… Whoops! There was a problem loading more pages. Retrying... Whoops! There was a problem previewing this document. Retrying.

Table of Contents - GitHub
random to receive a new welfare program called PROGRESA. The program gave money to poor families if their children went to school regularly and the family used preventive health care. More money was given if the children were in secondary school than

Script of Scripts - GitHub
Apr 7, 2016 - CWL, Galaxy etc: too bulky for our purposes .... Step 3. Execution of simple workflows. • Workflow steps are executed sequen*ally. • Steps are ...

Statement of Accomplishment - GitHub
You have successfully completed the online Machine Learn- ... not confer a Stanford grade; it does not confer Stanford credit; it does not confer a Stanford ...

MIRANDA HOUSE UNIVERSITY OF DELHI
Miranda House, College for Women, invites applications from talented and ... In Department of Computer Science, one post is reserved for PwD in VH Category. ... UGC/CSIR or a similar test accredited by the UGC (state level eligibility test ...

house of works.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. house of works.

house of terror.pdf
Page 2 of 3. Hungary 39 s torturous past inside the house of terror world. The. house of terror, budapest, hungary. Silence of statues inside memento. park and ...

House of Stairs.pdf
Page 4 of 15. HOUSE OF STAIRS (1700 headwords). 4. But she can't remember exactly. She promises to call back. ♢. When I got home from Thornham after the ...

Record of Achievement - GitHub
SAP HANA Technology. SAP HANA Performance Benchmarks. SAP HANA Roadmap and Re-thinking Software Development. SAP HANA in Practice. Michaela ...

Table of contents - GitHub
promotion about guide login_id login ID login_password login password email_generate_key generated key for certificating email email_certified_at timestamp ...

university of stellenbosch - GitHub
the degrei. BACHELOR OF SCIENCE WITH HONOURS. (BScHons). (Computer Science) with all the rishts and privilepes pertaininp thereto was conferred on.

Contents of - GitHub
Endpoints. /. The application root. /contact. Contact manager. Methods. POST. Creates a new ... Not an actual endpoint, but the HTTP method to use. NAME/?.

The Fall of the House of Usher
For complete copyright information please see the online version of this text at ... In 1826, Poe began attending the University of Virginia, but was expelled later that .... character of the premises with the accredited character of the people, and 

(House Atreides, House Harkonnen, House Corrino) By ...
You could also make or wait in your laptop or computer system that alleviates you to review ... Thanks for visiting the best web site that provide hundreds type of book collections. Below, we ... Sales Rank: #148671 in Books q. Published on: ...