Overwriting a freed chunk
Several of the proposed heap exploitation techniques need to be able to overwrite pointers inside freed chunks. The goal of this page is to summarise the potential vulnerabilities that could grant this access:
Simple Use After Free
If it's possible for the attacker to write info in a free chunk, they could abuse this to overwrite the needed pointers.
Double Free
If the attacker can free two times the same chunk (free other chunks in between potentially) and make it be 2 times in the same bin, it would be possible for the user to allocate the chunk later, write the needed pointers and then allocate it again triggering the actions of the chunk being allocated (e.g. fast bin attack, tcache attack...)
Heap Overflow
It might be possible to overflow an allocated chunk having next a freed chunk and modify some headers/pointers of it.
Off-by-one overflow
In this case it would be possible to modify the size of the following chunk in memory. An attacker could abuse this to make an allocated chunk have a bigger size, then free it, making the chunk been added to a bin of a different size (bigger), then allocate the fake size, and the attack will have access to a chunk with a size which is bigger than it really is, granting therefore an overlapping chunks situation, which is exploitable the same way to a heap overflow (check previous section).
Last updated
