Threat Research

Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap

CTI

Real-world exploitation of CVE-2022-24834 on a Redis server running on Alpine Linux using musl’s mallocng heap is discussed, highlighting heap shaping, cycling offsets, and a Lua-based read/write chain that enables control over memory. The article contrasts mallocng with ptmalloc2 and references Ricerca and Conviso writeups, offering practical insights for Alpine/musl environments. #CVE-2022-24834 #mallocng #musl #AlpineLinux #Redis #Lua

Keypoints

  • The vulnerability CVE-2022-24834 affects the Lua cjson module in Redis servers <= 7.0.11 and causes a large memory copy (~350 MiB) due to an integer overflow.
  • Public exploits historically targeted ptmalloc2 (GNU libc), but Alpine uses musl mallocng, requiring different exploitation approaches.
  • mallocng is slab-based and uses fixed-size slots on multi-page groups with in-band and out-of-band metadata designed to hinder corruption.
  • The cycling offset is a mitigation for double frees that adjusts the user data start inside a slot; its behavior depends on the group stride and surrounding slack space.
  • Heap shaping is used to create adjacency between the source buffer, the overflow target, and the destination so the 0x1555… overflow can corrupt the intended TValue/Table structures.
  • An Arbitrary Read/Write (AARW) primitive is achieved by corrupting a TValue within a Table to point to controlled memory, enabling further memory access and potential control flow redirection.
  • Lua-based leaks and ROP-like techniques can be leveraged to determine ASLR offsets and facilitate potential code execution, though practical constraints exist with musl libc and ASLR.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploiting a vulnerability in Redis to gain control through heap corruption and a read/write primitive. Quote: “…Exploitation requires that the target buffer that we want to corrupt must be adjacent to the overflown buffer with no unmapped gaps in between…”

Indicators of Compromise

  • [Domain] ricercasecurity.blogspot.com – domains cited for vulnerability analysis and writeups
  • [Domain] blog.xf1les.net – domains cited for discussions on mallocng and related tooling
  • [URL] https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-4-hunting-and-exploiting-0.html – referenced writeup used for exploitation context
  • [URL] https://github.com/xf1les/muslheap – gdb/mallocng tooling referenced for heap analysis

Read more: https://research.nccgroup.com/2024/06/11/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/