Heap Overflow — libssl 3.x

Condensed notes on the CVE-2024-XXXXX heap overflow in libssl 3.x. Target: 10.10.10.42 on :443.

Primitive

The bug is a classic malloc header corruption via an over-long TLS extension. Controllable write of 8 bytes past a tcache chunk boundary.

ssl_ext_parse.c

/* len is attacker-controlled — no upper bound check */
memcpy(buf + offset, ext_data, len);
 
/* chunk header sits 8 bytes past buf end when len == buf_sz */
typedef struct {
  size_t prev_size;
  size_t size;       /* overwritten — clears PREV_INUSE */
} malloc_chunk;

Exploitation steps

Groom heap with SSL_CTX_new() calls to align target chunk.
Send crafted ClientHello — extension type 0x000f, length buf_sz.
Trigger free() of next chunk — corrupted size causes consolidation into unsorted bin.
Use malloc_consolidate() to get a pointer into libc's .data.
Overwrite __free_hook → system. Pass /bin/sh as next freed pointer.

⚠ Warning — Step 3 is timing-sensitive on multi-threaded servers. Run the grooming loop in a tight 50 ms window.

Patch check

Fixed in OpenSSL 3.0.14 — bounds check added before memcpy.
Verify: openssl version -a | grep -E '^OpenSSL 3'

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝