Skip to content

Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Ex... #1739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Ex... #1739

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions src/binary-exploitation/libc-heap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -535,10 +535,28 @@ Study allocator-specific primitives derived from real-world bugs:
virtualbox-slirp-nat-packet-heap-exploitation.md
{{#endref}}

## musl mallocng exploitation notes (Alpine)

- **Slab group/slot grooming for huge linear copies:** mallocng sizeclasses use mmap()'d groups whose slots are fully `munmap()`'d when empty. For long linear copies (~0x15555555 bytes), keep the span mapped (avoid holes from released groups) and place the victim allocation adjacent to the source slot.
- **Cycling offset mitigation:** On slot reuse mallocng may advance the user-data start by `UNIT` (0x10) multiples when slack fits an extra 4-byte header. This shifts overwrite offsets (e.g., LSB pointer hits) unless you control reuse counts or stick to strides without slack (e.g., Lua `Table` objects at stride 0x50 show offset 0). Inspect offsets with muslheap’s `mchunkinfo`:

```gdb
pwndbg> mchunkinfo 0x7ffff7a94e40
... stride: 0x140
... cycling offset : 0x1 (userdata --> 0x7ffff7a94e40)
```

- **Prefer runtime-object corruption over allocator metadata:** mallocng mixes cookies/guarded out-of-band metadata, so target higher-level objects. In Redis’s Lua 5.1, `Table->array` points to an array of `TValue` tagged values; overwriting the LSB of a pointer in `TValue->value` (e.g., with the JSON terminator byte `0x22`) can pivot references without touching malloc metadata.
- **Debugging stripped/static Lua on Alpine:** Build a matching Lua, list symbols with `readelf -Ws`, strip function symbols via `objcopy --strip-symbol` to expose struct layouts in GDB, then use Lua-aware pretty-printers (GdbLuaExtension for Lua 5.1) plus muslheap to check stride/reserved/cycling-offset values before triggering the overflow.

## References

- [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
- [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
- [Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap](https://www.nccgroup.com/research-blog/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/)
- [musl mallocng enframe (v1.2.4)](https://git.musl-libc.org/cgit/musl/tree/src/malloc/mallocng/meta.h?h=v1.2.4#n196)
- [muslheap GDB plugin](https://github.com/xf1les/muslheap)
- [GdbLuaExtension (Lua 5.1 support)](https://github.com/fidgetingbits/GdbLuaExtension)


{{#include ../../banners/hacktricks-training.md}}