Don't like this style? Click here to change it! blue.css

LOGIN:
Welcome .... Click here to logout

Use After Free

More of a catch-all than a strategy

You might notice that "Use After Free" has tons of hits in the CVE database and yet isn't listed in the how2heap expoit set. What gives?

Well it doesn't quite fit our model of how exploits work, it's not a Write-What-Wear and it's not a leak. It's a slip-up that can sometimes create one or the other. It's program dependent. Use after free and double free are the two most common vague heap vulnerabilities that are often developer-made.

Note that sometimes these exploits exist synthetically and they become components of the named exploits that craft them.

It's like selling a book at a garage sale (free-ing it) then someone else finding your secret notes on pieces of paper inside the book.

Or maybe more like selling a computer that you still use as a server for hosting your website...

What is it?

Well it's when you can get access to a chunk after it has been free'd. If you can control the contents of a free'd chunk.

Use after free means you can be assigned an old chunk whose pointer still has meaning in a different context.

That is, your chunk is used in two places for two different purposes. Typically, you can edit the data inside of a chunk which is being interpreted as something secure in a different context.

What does that gain us? Well depends. Often we gain the ability to mess with malloc/free and trick it into giving us an arbitrary targeted pointer.

But it can just as easily be the ability to mess with some userdata struct or function pointer or something a little off the wall and custom.

How do you spot it?

Use after free typically happens when an old pointer is not discarded after freeing.

In a CTF style problem you might have an array of pointers that you can re-access even after freeing.

How do you use it?

If you can re-malloc that same chunk of data you can control all of the values in it. Now go back to the context where the pointer is reused.

If the roles are reversed, you can edit the values in a free chunk (often from a double-free) then you can mess with chunk meta-data of the free'd chunk allowing all sorts of nonsense.

The Daily PWN: ctf_sim

Been a while since we've had a daily pwn, here's a UAF from the weekend:

From TAMU CTF: ctf_sim binary uses glibc 2.28 (the infra might be up for another day or two) if you use the exploit starter. Also there is source code below.

This exploit starter will only apply for a few more hours:

OK let's solve it!