Full Report
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way
Analysis Summary
# Research: An Overview of Publicly Found GLIBC Heap Exploitation Techniques
## Metadata
- Authors: [Not explicitly stated in the provided text, implied author is the blogger/researcher]
- Institution: [Not explicitly stated]
- Publication: [Blog Post/Technical Writeup]
- Date: [Not explicitly stated]
## Abstract
This technical analysis provides a general overview of publicly known exploitation techniques targeting the GNU C Library (GLIBC) memory allocator (`malloc`/`free`), categorizing them into techniques applicable against patched and unpatched versions of GLIBC. The paper details the internal structures of GLIBC heaps, including different types of memory management structures known as "bins" (Tcache, Fastbin, Smallbin, Unsortedbin, Largebin), and then describes specific exploitation primitives that leverage bugs within these structures.
## Research Objective
The primary objective is to document and explain known heap exploitation techniques targeting GLIBC, distinguishing between those that are mitigated by recent patches and those that remain relevant via new attack vectors, thereby serving as an educational resource on GLIBC heap internals and vulnerabilities.
## Methodology
### Approach
Descriptive and analytical. The post systematically breaks down the memory management structures (bins) used by GLIBC and then uses this structural knowledge to explain specific exploitation scenarios ("idea," "gist") based on observed CVEs or public vulnerability classes.
### Dataset/Environment
The analysis focuses theoretically on the memory structures of GLIBC, referencing specific versions where applicable (e.g., Tcache introduced in GLIBC $\ge 2.26$). The techniques described imply testing or knowledge derived from reverse engineering vulnerable implementations of the GLIBC heap.
### Tools & Technologies
The analysis relies on understanding the internal data structures of the GLIBC heap, including pointer manipulation, chunk metadata, and interaction with `malloc`, `free`, and `calloc` mechanisms.
## Key Findings
### Primary Results
1. **Detailed Bin Structure Explanation:** A thorough breakdown of the five main free list structures (Tcache, Fastbin, Smallbin, Unsortedbin, Largebin), detailing their linking mechanisms (singly vs. doubly linked, LIFO vs. FIFO, circularity) and size ranges.
2. **Tcache Behavior:** The Tcache acts as a thread-local cache, prioritizing allocation. Its interaction with other bins, specifically "tcache dumping" during allocations from Fast/Small/Unsorted bins, is a critical vulnerability consideration.
3. **Exploitation Primitive 1: Tcache Count Manipulation:** It is possible to achieve a write primitive by corrupting the `tcache_count` if it is zeroed out, allowing the attacker to overwrite the `fd` pointer of a chunk in a Tcache list to point to an arbitrary location (e.g., by exploiting a UAF/overflow on the second allocated chunk in a two-chunk sequence).
4. **Exploitation Primitive 2: Tcache Stashing Unlink (via `calloc`):** A complex technique exists where an attacker can force the allocation of a fake chunk (arbitrary memory location) by manipulating the Smallbin/Unsortedbin interaction with the Tcache. This specific method relies on using `calloc`, which bypasses the Tcache's priority, causing freed chunks to move from the Smallbin back into the newly emptied Tcache slots for subsequent exploitation.
### Supporting Evidence
- Direct references to GLIBC patch commits (e.g., the commit related to ensuring `tcache_count` is not NULL).
- Step-by-step scenarios detailing the sequence of allocation, freeing, and corruption required for each technique.
### Novel Contributions
- Synthesis of different GLIBC heap vulnerability classes based on the internal bin structures, presenting them in a structured manner covering both historical and more recent (post-Tcache) vectors.
- Detailed explanation of the "Tcache - Stashing unlink" technique, highlighting the specific condition ($\ge 1$ allocation with `calloc`) required for its success.
## Technical Details
The fundamental technical insight revolves around controlling the **Forward Pointer (`fd`)** in LIFO structures (Fastbin, Tcache) or the **Forward and Backward Pointers (`fd`/`bk`)** in doubly linked lists (Smallbin, Unsortedbin, Largebin) to achieve an arbitrary write primitive (often referred to as "arbitrary write/unlink").
* **Fastbin/Tcache Write Primitive:** Overwriting the `fd` pointer of a freed chunk, $C_2$, in a sequence where $C_1$ (the first chunk allocated from the list) is freed just before $C_2$. The attacker overwrites $C_2$'s `fd` to point to Heap Address $X - \text{offset}$. When the next allocation occurs, it returns $C_2$, and the subsequent allocation (the second one) reads $X$ as the next chunk pointer, causing an overlap.
* **Smallbin/Unsortedbin Write Primitive (Stashing Unlink):** This relies on corrupting the `bk` pointer in a freed chunk within a list that is about to undergo consolidation (like the Smallbin), allowing the classic arbitrary write via pointer subtraction/addition during an unlink operation, made uniquely complex here by the Tcache interaction forcing the consolidation path via `calloc`.
## Practical Implications
### For Security Practitioners
- Understanding these techniques is crucial for static and dynamic analysis of binaries where heap corruption vulnerabilities are suspected, especially in parsers or network services utilizing dynamic memory allocation.
### For Defenders
- **Input Validation:** Strict validation of user-controlled inputs that influence memory allocation sizes or content is paramount to prevent overflows/UAFs that lead to pointer corruption.
- **Mitigations:** Modern systems rely on hardening features like hardened heap metadata (pointer encoding/toggling, size checks, safe unlinking). Defenders must understand that older techniques might be ineffective against fully patched systems, but new variations are always possible.
### For Researchers
- The analysis serves as a baseline for investigating the security posture of specific GLIBC versions or custom allocators that mimic GLIBC behavior. The note that "dead" techniques can be revived suggests further research into how side channels or subtle changes in surrounding code impact exploit viability.
## Limitations
- The analysis is primarily descriptive; it explicitly states that actual exploitation code is withheld ("left as an exercise for the reader").
- The applicability lifespan ("Applicable until: ?") for advanced techniques like the Tcache Stashing unlink remains uncertain, indicating that GLIBC developers are actively patching these vectors.
## Comparison to Prior Work
This work consolidates knowledge typically spread across multiple vulnerability reports and documentation pages $(\text{e.g., } pwn.college, \text{phrack articles})$. It specifically isolates and details interactions involving the **Tcache**, which is the major structural difference between pre- and post-GLIBC 2.26 exploitation paradigms.
## Real-world Applications
- Developing proof-of-concept exploits for memory corruption flaws in applications linked against vulnerable versions of GLIBC (e.g., web servers, shell environments).
- Auditing the robustness of memory management routines in custom C/C++ software.
## Future Work
- Continuous monitoring and documentation of patches applied to GLIBC heap structures.
- Investigation into new exploitation vectors targeting the synchronization or state management between the primary heap structures and the thread-local Tcache structure.
## References
- [Links to specific GLIBC patches referenced in the text, e.g., commit hashes or change IDs.]
- [General references regarding heap exploitation concepts (e.g., Unlink/Fastbin attacks)].