hacktricks/binary-exploitation/libc-heap/use-after-free/README.md
Carlos Polop 731fca1d57 a
2024-07-18 18:14:56 +02:00

3.5 KiB

Use After Free

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

As the name implies, this vulnerability occurs when a program stores some space in the heap for an object, writes some info there, frees it apparently because it's not needed anymore and then accesses it again.

The problem here is that it's not ilegal (there won't be errors) when a freed memory is accessed. So, if the program (or the attacker) managed to allocate the freed memory and store arbitrary data, when the freed memory is accessed from the initial pointer that data would be have been overwritten causing a vulnerability that will depends on the sensitivity of the data that was stored original (if it was a pointer of a function that was going to be be called, an attacker could know control it).

First Fit attack

A first fit attack targets the way some memory allocators, like in glibc, manage freed memory. When you free a block of memory, it gets added to a list, and new memory requests pull from that list from the end. Attackers can use this behavior to manipulate which memory blocks get reused, potentially gaining control over them. This can lead to "use-after-free" issues, where an attacker could change the contents of memory that gets reallocated, creating a security risk.
Check more info in:

{% content-ref url="first-fit.md" %} first-fit.md {% endcontent-ref %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}