RT @0xdea
Of course the master heap #xdev @qualys managed to achieve significant progress in #exploiting the recent double-free #vulnerability in #OpenSSH server 9.1 (CVE-2023-25136) 💚

https://seclists.org/oss-sec/2023/q1/92

Of course the master heap #xdev at #Qualys managed to achieve significant progress in #exploiting the recent double-free #vulnerability in #OpenSSH server 9.1 (CVE-2023-25136) 💚

“Quick update: we were able to gain arbitrary control of the rip register through this bug (i.e., we can jump wherever we want in sshd's address space) on an unpatched installation of OpenBSD 7.2 (which runs OpenSSH 9.1 by default). This is by no means the end of the story: this was only step 1, bypass the malloc and double-free protections.”

“The trick to bypass malloc's double-free and use-after-free protections is to re-allocate the memory that was occupied by options.kex_algorithms as soon as it is free: from malloc's point of view, no attempt is made to free, read, or write memory that is already free; from sshd's point of view, however, an aliasing attack occurs: two different pointers to two different objects refer to the same chunk of memory, and a write to one object overwrites the other object. This opens up a world of possibilities.”

https://seclists.org/oss-sec/2023/q1/92

Awesome @githubsecurity articles by @anticomputer on recognizing and exploiting the hidden attack surface of interpreted languages

Now you C me, now you don't: An introduction to the hidden #attack surface of interpreted languages
https://securitylab.github.com/research/now-you-c-me/

Now you C me, now you don't, part two: #exploiting the in-between
https://securitylab.github.com/research/now-you-c-me-part-two/

For historical context on the ret2dlresolve #xdev technique, see also Nergal's "The advanced return-into-lib(c) exploits"
http://phrack.org/issues/58/4.html