Category:Heap
From SecurityForest
- Description: The present paper focuses on Linux/Intel systems and details the Sudo bug and explains why a precise knowledge of how malloc works internally is needed in order to exploit it. It also describes the functioning of the memory allocator used by the GNU C Library (Doug Lea's Malloc), from the attacker's point of view. It then applies this information to the Sudo bug, and presents a working exploit for Red Hat Linux/Intel 6.2 (Zoot) sudo-1.6.1-1.
- Author: Michel "MaXX" Kaempf
- Download: p57-0x08.txt (http://www.securityforest.com/downloads/educationtree/p57-0x08.txt)
- Rated:
- Title: BSD Heap smashing
- Description: This document explains the internals of Poul-Henning Kamp's malloc() implementation (further called "phk malloc") from a security researcher's point of view.
- Author: Poul-Henning Kamp
- Download: BSD-heap-smashing.txt (http://www.securityforest.com/downloads/educationtree/BSD-heap-smashing.txt)
- Rated:
- Title: Heap off by one
- Description: The scope of this short paper is to describe how vulnerabilities consisting in a null byte written past the end of dinamically allocated buffers could be exploited. The name 'off by one' is borrowed from the well known category of vulnerabilities affecting buffers allocated onto the stack: in that case exploitation is performed through the frame pointer overwrite. See references in the end for details [1][2]. Exploitation of this kind of vulnerability for buffers allocated onto the heap meets a completely different context. In this paper I will refer to Linux x86, but a lot of the things described here are applicable to other systems as well.
- Author: qitest1
- Download: heap_off_by_one.txt (http://www.securityforest.com/downloads/educationtree/heap_off_by_one.txt)
- Rated:
- Title: w00w00 on Heap Overflows
- Description: As more system vendors add non-executable stack patches, or individuals apply their own patches (e.g., Solar Designer's non-executable stack patch), a different method of penetration is needed by security consultants (or else, we won't have jobs!).
- Author: Matt Conover & w00w00 Security Development
- Download: heaptut.txt (http://www.securityforest.com/downloads/educationtree/heaptut.txt)
- Rated:
