I was trying to exploit the heap allocator on Solaris via the sudo bug, it appears that since Solaris 10 the libc now checks for a negative chunk size to prevent creating the tree structure that is used as a primitive against the Sys V heap allocator since 2001. You can still corrupt the chunk with large size but it would seem that a fix was added to prevent t_delete() method of exploitation first described in 2001 in "once upon a free()" article.

· · Web · 0 · 0 · 0
Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!