Full Report
Intro Hello there! On this part we are focusing on abusing chunk creation and heap massaging in hope of overwriting the __malloc_hook weak pointer. Before getting into all the juicy stuff let’s remember some key things from last post. The value returned by png_get_uint_32 is of type unsigned integer For a 32 bit integer, the following happens: 0xffffffff + 1 = 0 fread will read values into the destination unless it can’t read from source memory (spoiler: it can) fread will return the number of elements read from the source Points 1 and 2 were made clear but 3 and 4 were left unanswered.
Analysis Summary
# Research: Linux Heap Exploitation Intro Series: Set you free() – part 2
## Metadata
- Authors: Javier Jimenez
- Institution: SensePost
- Publication: SensePost Blog
- Date: September 06, 2018
## Abstract
This technical analysis, the second part in a series on Linux heap exploitation, details techniques for exploiting a custom vulnerability, likely within a PNG processing utility (`apngopt`), by abusing chunk creation and heap massaging. The ultimate goal demonstrated is to control the execution flow by overwriting the `__malloc_hook` weak pointer in glibc's allocator (ptmalloc2). The research leverages a specific buffer overflow caused by an insecure use of `fread` following the processing of PNG chunks, allowing an attacker to corrupt heap metadata.
## Research Objective
The primary objective is to demonstrate a practical heap exploitation technique chaining vulnerabilities derived from PNG chunk parsing to achieve heap corruption. Specifically, the research focuses on:
1. Understanding and exploiting the consequences of an insecure `fread` call that reads an arbitrary number of bytes into a destination buffer.
2. Applying "heap massaging" techniques (controlling chunk creation and freeing) to position a buffer overflow to target critical allocator pointers, specifically aiming to overwrite `__malloc_hook`.
3. Recapping foundational heap concepts relevant to the process, such as 32-bit integer wrapping and the behavior of `fread`.
## Methodology
### Approach
The research follows a practical, step-by-step exploitation methodology:
1. **Vulnerability Identification:** Leveraging a known buffer overflow vulnerability in the application's PNG chunk handling, specifically where `fread` inputs are improperly validated, leading to reading more bytes than intended into a heap chunk.
2. **Heap Corruption Measurement:** Using debugging tools (`gdb`, `villoc`) to observe the memory corruption resulting from the overflow.
3. **Heap Spraying/Massaging:** Allocating and freeing specific sizes of memory chunks ("heap massaging") to control the layout of the heap structure, particularly the placement of fastbins and unsorted bins.
4. **Pointer Overwriting:** Showing how the controlled overflow overwrites heap metadata (specifically the Forward Pointer, `FD`, in a freed chunk) to gain control over allocator structures.
5. **Goal Attainment (Theoretical):** Demonstrating the theoretical path to overwriting `__malloc_hook` to achieve code execution control.
### Dataset/Environment
- **Target Application:** An application (`apngopt` variant) processing Animated PNG (`apng`) files.
- **Exploitation Environment:** Linux environment.
- **Test Case:** A specially crafted PNG file (`images/6frames-AnimatedPNG-blogpost.png`) containing specific chunk arrangements to facilitate the required memory layout.
### Tools & Technologies
- **Debugger:** `gdb` (with `pwndbg` extension).
- **Heap Visualization Tool:** `villoc` to trace memory allocation/deallocation behavior.
- **Environment Control:** `LD_PRELOAD` for hooking libc functions, and `setarch` to attempt consistency when running with `villoc` under ASLR.
- **Compiler Flags:** `-ggdb` used to ensure debugging symbols are present in the target binary.
## Key Findings
### Primary Results
1. **Insecure `fread` Behavior:** The overflow stems from `fread(pChunk->p + 4, pChunk->size - 4, 1, f) == 1` validation, which fails to account for the fact that `fread` reads as many bytes as possible up to the source size, potentially leading to an overflow size dictated by the file contents, not the intended chunk size calculation.
2. **Heap Metadata Overwriting:** The overflow allows the modification of heap chunk metadata, specifically demonstrated by overwriting the `FD` (Forward Pointer) field of a nearby freed chunk in the unsorted/fastbin region with attacker-controlled data (e.g., "AAAA...").
3. **Allocator Checks:** The initial attempt to overwrite the `FD` pointer is met with resistance from modern allocator security checks within `malloc.c`, which validate the size of the free chunk and the validity of the pointer being inserted into the bin structure.
4. **Prerequisite for Heap Massaging:** Successfully landing a controllable fastchunk requires careful heap spraying—specifically allocating four consecutive fastchunks of size `0x70`—to ensure the attacker's target chunk lands strategically relative to the required variables during subsequent allocations.
### Supporting Evidence
- Memory inspection screenshots and GDB trace analysis showing the hex representation of the corrupted pointer address (`0x826042ae444e`) and its little-endian interpretation suggesting control over heap structures.
- Visualization using `villoc` identifying the memory corruption location relative to adjacent chunks (e.g., the `fastchunk` at `0x1ffe470`).
### Novel Contributions
- Practical demonstration of linking file format parsing vulnerabilities (PNG chunks) directly to advanced heap corruption techniques aimed at `__malloc_hook`.
- Illustrates the necessity of complex heap massaging (creating specific sequences of allocated chunk sizes) to bypass modern heap security checks before achieving the corruption of the target pointer (`__malloc_hook`).
- Provides practical debugging advice for correlating memory addresses between dynamic tooling (`villoc`) and static debug environments (`gdb`) under ASLR using `setarch`.
## Technical Details
The core technical vector involves an overflow that writes past the allocated destination buffer into adjacent heap structures. By controlling the structure of the heap via prior allocations/deallocations, the attacker positions a free chunk directly adjacent to their overflow source. The overflow overwrites the `FD` pointer of this freed chunk. While the initial overwrite of the `FD` pointer is successful, default allocator checks prevent an immediate allocation using this corrupted pointer unless further size validations can also be manipulated or bypassed, often requiring control over the size metadata adjacent to the `FD` pointer. The analysis emphasizes that achieving control over the instruction pointer (`__malloc_hook` overwrite) requires significant, specific "heap spraying."
## Practical Implications
### For Security Practitioners
This research reinforces that vulnerabilities in file parsing libraries, even if they look like simple buffer overflows, can lead to complex heap exploitation in modern systems if the vulnerability allows writing into the heap metadata regions. Exploit development requires deep knowledge of the specific libc allocator version being used (ptmalloc2).
### For Defenders
Defenders must focus on strong bounds checking for *all* data read from external sources (like file headers/chunks) before placing them into heap buffers managed by `malloc`. Furthermore, continuous compilation with strong Address Space Layout Randomization (ASLR) remains crucial, although this research shows its impact can sometimes be mitigated by predictable layout structures or pre-existing environmental conditions.
### For Researchers
The work highlights the ongoing challenge of heap exploitation development without specialized scripting or fuzzing environments, indicating that manual or semi-automated heap spray construction can be exceedingly difficult due to the dynamic nature of heap layout. This points to the need for better tools that integrate symbolic execution with customized heap state management for exploit prototyping.
## Limitations
The analysis explicitly notes limitations:
1. **Bypassing Size Checks:** The author failed to overcome a specific condition related to the size check validation implemented in `malloc.c` after successfully overwriting the `FD` pointer.
2. **File Constraint:** Achieving the necessary heap layout requires the input PNG file to contain more than four frames *after* a certain optimization step, constraining the practical exploit vector to specific input files.
3. **ASLR Context:** The demonstration of controlling the instruction pointer is acknowledged as a theoretical possibility achievable only after significant manual configuration (e.g., disabling ASLR or brute-forcing predictable addresses).
## Comparison to Prior Work
The research builds upon foundational heap exploitation knowledge (like those documented by researchers studying Doug Lea’s or Wolfram Gloger’s ptmalloc2 implementations) by applying these concepts to a real-world scenario involving file parsing logic errors. It differs from simpler stack or GOT overwrites by requiring extensive "heap massaging," demonstrating the complexity leap required for mastering heap-based vulnerability exploitation in userland programs.
## Real-world Applications
- Developing proof-of-concept exploits against software that parses complex file formats (e.g., image libraries, media codecs).
- Benchmarking the effectiveness of modern heap mitigations against targeted, manually constructed heap manipulation attacks.
### Implementation Considerations
Successful payload delivery necessitates precisely crafting the input file structure to meet the requirements for heap spraying (controlling chunk counts and sizes) before triggering the initial overflow.
## Future Work
- Developing a systematic method to bypass the size checks observed in the allocator's free chunk validation logic to successfully hijack the allocation path via `__malloc_hook`.
- Investigating if similar heap corruption patterns exist in other common image processing libraries when processing proprietary or complex image chunk types.
## References
- Related concepts leveraged from prior work on heap exploitation targeting `ptmalloc2`.
- Implicit reference to prior work detailed in "Part 1" of this series regarding `png_get_uint_32` and `fread` behavior.
- Links to external resources for the `villoc` tool and demonstration code structure.