Security Response

Matthew Conover | 22 Jan 2007 | 0 comments

Continued from Part 1...

Exploiting double free vulnerabilities: Case 1

The first way that a double free vulnerability can be exploited is when the first free puts the chunk on the Lookaside (which the Windows heap implementation tries to use before the FreeList since it's more efficient). When a chunk is freed to the Lookaside, the Chunk is still marked as busy (that is, Chunk.Flags & BUSY_FLAG is set) to prevent the chunk from being coalesced with the previous/next chunk. That's because entries on the Lookasidelist are meant to be a fast allocate/deallocate (akin to "fast bins" inthe GLIBC and related Unix heap implementations). By contrast, entrieson the FreeList are frequentlycoalesced when a chunk is being freed and the chunk before/after it isalso free (to make larger contiguous chunks of memory available...

Double Free Vulnerabilities - Part 1

Matthew Conover | 19 Jan 2007 | 0 comments

In light of the recent CSRSS double free bug, I wanted to providesome information on the exploitation of double frees on Windows on XPSP2 and later. Prior to XP SP2, double frees were trivial to exploit,but now the security cookie (in each heap chunk) and safe unlinkingchecks make it more difficult to exploit. So this blog entry willdiscuss the exploitability on XP SP2 and later heap implements.

Note: If you're not familiar with Windows heap terminology, pleasereview the slides from our CanSecWest 2004 heap presentation, archivedhere: http://www.cybertech.net/~sh0ksh0k/projects/winheap.

Oded Horovitz and I did not look into this topic much in ouroriginal presentation on Reliable Windows Heap Exploitation atCanSecWest 2004. Later that same year, I discussed how to defeat thesafe unlinking check at SyScan 2004, but I did not consider itsrelevance to double free vulnerabilities. In other...

Links

Technical Support Symantec.com Purchase Symantec Endpoint Protection Purchase VeriSign SSL Certificates

About Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.

Filter by:

Recently on Twitter

threatintel

Revamped Fake #Android Market for SMS Fraud http://t.co/mlrosRUH #malware
10 Feb 2012
Is Waledac spam dirtying the Russian 2012 elections? http://t.co/6gWaIyq6
10 Feb 2012
Trojan.Activehijack found in the wild using a known #Office #vulnerability. http://t.co/7L8Xszwr
09 Feb 2012
Infostealer.Offsupload uploads 20000+ archives of stolen data to file sharing site http://t.co/5BBG51Go #Trojan
08 Feb 2012
#Android.Bmaster - Botmaster's profits exposed http://t.co/P8jOQP37 #malware
08 Feb 2012

Security Response

Links

About Security Response Blog

Filter by:

Recently on Twitter

Blog Tags

Technical Support

Symantec.com

Store

Community Stats