Use after free

Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory. If after freeing a memory location, the program does not clear the pointer to that memory, an attacker can still use this pointer with possibly arbitrary values.

How it works ?

As explained , when a chunk is freed, it's stored into a bins ( fastbins for shorter chunks, unsorted bins for the others. ) and when the program need a new chunck, it will take if from that bins first depending on the required size.

Then, if the size is compliant, the allocated bin is the same than the previously freed chunk.

So, the new pointer has the exact same value as the old pointer and then, if the old pointer isn't clear, it will point with this new value.

This behavior can easily be highlight by the followed code :

#include <stdlib.h>
#include <stdio.h>
#include <string.h>


int main(void) {
    char *pointer_1 = (char *)malloc(20);

    strcpy(pointer_1, "value 1");

    printf("pointer 1 : %p, value : %s \n", pointer_1, pointer_1);

    free(pointer_1); // Here the pointer_1 is freed but not clear. 

    char *pointer_2 = (char *)malloc(20);
    strcpy(pointer_2, "value 2");

    printf("pointer 1 : %p, value : %s \n", pointer_1, pointer_1);
    printf("pointer 2 : %p, value : %s \n", pointer_2, pointer_2);

}

$ ./test
pointer 1 : 0x12fe2a0, value : value 1 
pointer 1 : 0x12fe2a0, value : value 2 
pointer 2 : 0x12fe2a0, value : value 2

Note : pointer_2 was assigned as the same chunk as pointer_1 because the pointer_1 chunk was freed before the pointer_2 chunk allocation

Unless pointer_1 was freed, its value still accessible but it point to the new data declared by pointer_2

Resources

PreviousChallenge example NextChallenge example

Last updated 2 years ago