This technical whitepaper showcases the exploitation of heap overflows in Linux
systems, often considered hard or impossible to exploit with current state-of-the-art
mitigation technologies in place. Recent work from Google Project Zero [1]
demonstrates that corrupting heap structures with a single NUL byte can still lead to
local arbitrary code execution on 32-bit binaries. This paper presents several
techniques that can be used to exploit limited heap overflows in the general case, i.e.
independently from the architecture and mitigation techniques in use, by forcing the
allocator to produce overlapping chunks in applications where the user can predict and
control the shape of heap areas. We apply this technique to a seemingly unexploitable
heap overflow found in commercial software and demonstrate that for the right
applications, exploits bypassing all modern mitigation techniques such as ASLR, PIE or
full RELRO can be constructed.
more here..........http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf
systems, often considered hard or impossible to exploit with current state-of-the-art
mitigation technologies in place. Recent work from Google Project Zero [1]
demonstrates that corrupting heap structures with a single NUL byte can still lead to
local arbitrary code execution on 32-bit binaries. This paper presents several
techniques that can be used to exploit limited heap overflows in the general case, i.e.
independently from the architecture and mitigation techniques in use, by forcing the
allocator to produce overlapping chunks in applications where the user can predict and
control the shape of heap areas. We apply this technique to a seemingly unexploitable
heap overflow found in commercial software and demonstrate that for the right
applications, exploits bypassing all modern mitigation techniques such as ASLR, PIE or
full RELRO can be constructed.
more here..........http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf