Jump to content

uClibc Unlink Heap Exploitation

Recommended Posts

In this paper, I introduce the reader to a heap metadata corruption against the latest version of uClibc. This allocator is used in embedded systems. The unlink attack on heaps was first introduced by Solar Designer in the year 2000 and was the first generic heap exploitation technique made public. In the unlink technique, an attacker corrupts the prev and next pointers of a free chunk. In a subsequent malloc that recycles this chunk, the chunk is unlinked from its freelist via pointer manipulations. This inadvertently allows an attack to craft a write-what-where primitive and write what they want where they want in memory. This attack is historical, but also exists today in uClibc.

uClibc Unlink Heap Exploitation.PDF
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...