BIPI
BIPI

Heap Exploitation Modern Era: tcache, fastbin, House of Force/Orange/Botcake

Cybersecurity

Modern glibc heap exploitation: tcache poisoning, fastbin dup, House of Force, House of Orange, House of Botcake, and what changed in glibc 2.32 to 2.38.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 28, 2024 · 12 min read

#heap-exploitation#glibc#tcache#fastbin#house-of

Heap exploitation in 2024 means glibc ptmalloc tcache. Most of the classical attacks (unsorted bin, smallbin, largebin) live on, but the tcache layer added in glibc 2.26 changed the path of least resistance dramatically. tcache poisoning is the new fastbin dup.

tcache Anatomy

Per-thread cache of up to 7 chunks per size class, for sizes 0x20 through 0x410. Singly linked free list, LIFO. Pre-glibc 2.32, free pointer was a raw pointer, attacker-controlled write to fd gave next allocation at arbitrary address. Glibc 2.32 introduced PROTECT_PTR safe-linking, XORing fd with (chunk_addr >> 12), but a heap leak still defeats it trivially.

tcache Poisoning

  1. Allocate two chunks A and B of the same tcache-eligible size
  2. Free B then A, tcache list head points to A which points to B
  3. Use UAF or overflow to overwrite A's fd to target address (XOR with heap_addr>>12 if glibc 2.32+)
  4. Allocate once, gets A. Allocate again, gets target address as a 'chunk'
  5. Write into it: arbitrary write primitive

Fastbin Dup and Double Free

If tcache is full, frees go to fastbin. Double-freeing the same chunk used to give arbitrary alloc with a size check. Glibc added double-free detection at tcache (key field in chunk) in 2.29, and double-free detection at fastbin head. Bypass: free A, free B, free A. The tcache key check sees mismatched keys on the second A free, double free goes through.

House of Force

Classic, dead in modern glibc. Required overwriting top chunk size to huge value, then requesting alloc of (target - top - header) so top moves to target. Glibc 2.29 added size sanity check on top, killed House of Force as a primitive on mainline. Still useful in embedded targets with outdated libcs.

House of Orange

Free the top chunk by faking a smaller top chunk size, triggering sysmalloc to free the old top into unsorted bin. From unsorted bin, get a libc leak (main_arena pointer). Then forge a _IO_FILE structure to hijack _IO_list_all and gain RCE on next exit or abort. FILE struct exploitation moved to House of Apple and House of Cat after glibc removed __free_hook and __malloc_hook in 2.34.

Every removal of a glibc hook gets answered by a new House-of technique. The arms race between mtools maintainers and exploit researchers is the most consistently entertaining show in low-level security.

House of Botcake

Combines tcache and unsorted bin to get both a libc leak and an arbitrary write in one chain. Fill tcache for a size, free one more to unsorted bin (gets libc address), pull back into tcache via specific allocation pattern. Survived multiple glibc updates with minor adjustments.

Targets in glibc 2.34 and Later

  • __free_hook and __malloc_hook removed in 2.34, classical one-shots gone
  • FILE struct _IO_2_1_stdout_, _IO_2_1_stderr_ remain attackable via vtable hijack
  • exit_funcs (atexit pointers) are mangled with PTR_MANGLE, harder but possible with multi-leak
  • tls_dtor_list is the new community favorite for arbitrary RCE post 2.34

Mitigations Beyond glibc

  • hardened_malloc (GrapheneOS): per-size-class arenas, guard pages, separate metadata, kills most heap classes
  • Scudo (Android, Fuchsia): tcache-like cache with random tagging and quarantine
  • MTE on Pixel 8 and ARMv9: hardware memory tagging detects UAF and linear overflows at near-zero overhead
  • Microsoft's segment heap and Low-Fragmentation Heap on Windows 11 close many classical primitives

Tooling

  1. pwndbg or gef inside gdb, with heap, bins, tcache, fastbins commands
  2. pwntools for scripting allocation and free patterns from your exploit
  3. how2heap repo from shellphish, every house-of technique with runnable demos
  4. glibc-all-in-one to test against arbitrary libc versions

Recent CVEs

  • CVE-2024-2961 iconv heap overflow, exploitable into RCE on PHP and Apache via crafted charset
  • CVE-2024-3094 xz-utils backdoor used heap manipulation in liblzma to redirect sshd RSA verify
  • Browser pwns at Pwn2Own continue to rely on heap UAFs in Blink, Gecko, and WebKit

Defense for App Developers

  • Rust, Go, or any memory-safe language for new network-facing code
  • If C/C++ is required, run under hardened allocator, enable MTE where available
  • Fuzz with AFL++ and ASan, both detect heap corruption at the moment of misuse
  • Use C++ smart pointers consistently, no raw new/delete in production code

The heap is still the most productive bug class in modern binaries. Tooling has matured, but so has the exploitation literature. Read how2heap, build the demos, then audit your own code.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.