Move from tcache to fastbins abuse

[bl4ckh0l3z]

Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?

Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.

Thanks in advance and congrats for this amazing exploit!

[bl4ckh0l3z]

Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?

Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.

Thanks in advance and congrats for this amazing exploit!

Someone did it, then fingers crossed... Just food for thought

https://datafarm-cybersecurity.medium.com/exploit-writeup-for-cve-2021-3156-sudo-baron-samedit-7a9a4282cb31

[blasty]

Hey guys, I've not had much time to look at any of this. It seems the majority of issues being created are in the form of "HALP PLZ SUPPORT DISTRO I NEED 2 HAX!1!!!". I'm not sure what I expected when I uploaded exploit source code to Github. ;-)

That said, the writeup in the comment above (by @sleepya_ on Twitter) is pretty interesting. I briefly played with his CentOS 7 approach last night and did notice I was able to get userspec objects that were after the userargs buffer that is being overflowed. Unfortunately I would always trigger some heap metadata corruption checks before the overwritten userspec object data was being used. I tried applying the varying grooming primitives (TZ=: and ; in LC_*) he talks about in his writeup in a bruteforce fashion, but it didn't seem to make much of a difference. If anyone makes any progress on this let us know!

[faik-sevim]

Hi guys, thanks for your attention I will write up here if i can find anything benefical.