heap-overflows.md (2904B)
1 +++ 2 title = 'Heap overflows' 3 +++ 4 # Heap overflows 5 Stack-based buffer overflow relatively easy to exploit, because return address. 6 Integer overflow can bypass length checks. 7 Heap buffer overflows and format strings can provide arbitrary write. 8 9 Use-after-free and type confusion allow corrupting specific data. 10 11 Buffer overflows: 12 - most common, can exploit locally and remotely, modify both data and control flow 13 - typical signs: fixed-length buffers, passing pointer to buffer without size, array access without size check, pointer arithmetic without size/end pointer 14 - vulnerable functions: 15 - gets() -- replace with fgets() 16 - strcpy(),strcat() -- replace with strncpy() or strncat() 17 - sprintf() etc. -- replace with snprintf() etc. 18 - scanf() etc. -- put bound on %s formats 19 20 Off-by-one: 21 - wrong comparison operator, forget about string terminator 22 - can only overwrite one element above array capacity 23 24 Pointer storage: 25 - pointer is integer storing a memory address 26 - in x86_64, only 48 least significant bits of 64-bit integer are used (so every pointer contains two null bytes) 27 - x86_64 is little endian, so least significant byte is stored first (lowest address) 28 29 Buffer overread: 30 - reading out-of-bounds can be just as harmful, and can also leak pointers (compromising ASLR) 31 32 Data/BSS overflows 33 - data has initialized global data, BSS uninitialized 34 - alternative ways of hijacking control: 35 - overwrite function pointer 36 - overwrite saved frame pointer (fake stack, then return from it) 37 - overwrite C++ object pointer (e.g. hijack virtual functions) 38 - data-only alternatives: 39 - changing strings to e.g. bypass authorization 40 - changing integers, e.g. index and size variables to allow further overflows. 41 - changing pointers 42 43 Heap overflows: 44 - malloc(), new, etc. return memory on heap 45 - harder to exploit, can't reach return addresses 46 - so, target metadata and/or heap massaging 47 - heap organisation: 48 - grows towards higher memory addresses 49 - memory management through in-band control structures (metadata between buffers), which can be manipulated through heap overflows to execute arbitrary code 50 - attacks depend on implementation of malloc 51 - heap divided in chunks 52 - used chunk contains metadata and buffer returned by malloc 53 - free chunk not currently used, but can be reused later 54 - adjacent free blocks are merged to avoid fragmentation 55 - exploiting dlmalloc: 56 - assume we find heap buffer overflow 57 - overwrite fd and bk (requires free block) 58 - make program call unlink, e.g. to merge block when previous block is freed 59 - unlink writes chosen data at chosen location 60 61 exploiting arbitrary write: 62 - heap overflow/format string write to absolute address 63 - alternative: global offset table (GOT) 64 - used to lazily load lib functions 65 - address looked up and stored on first call 66 - fixed location