#36 | bin08 – Hitting the exit brick wall of tls_dtor_list

Hey, it’s me again. Let’s continue our last article. What I’ll try to do today is talk about the tls_dtor_list, which is that list of function getting executed during the exit mechanism of a glibc program. This quick article is kind of an issue report and not really an advancement but since I learned a few things I can talk about them here.

I’m still very new to heap exploitation so I might go to another subject and come back to this one at a later date, once I’ll get a better grasp at the subject.


Issue with the tls_dtor_list

I’ve read a few articles about tls_dtor_list but there are some of these that said that there is a pointer mangling function, meaning that the pointer to tls_dtor_list gets xor’d with an arbitrary value. This commit seems to be the cause of that. I couldn’t understand how some exploitation (2015) didn’t even talk about it, but they were probably created too early. A friend of mine did an article about tls_dtor_list with an analysis of how it could be exploited by leaking the ptr_guard value.

Basically, a pointer encryption or mangling is a glibc security feature, aiming to increase the difficulty to attackers of manipulating pointers, such as function pointers in glibc structures. There is two defined functions PTR_MANGLE() and PTR_DEMANDLE(), used to mangle and demangle a pointer using a set key. The xor key is generated during the startup code initialization, either by the dynamic linker for a dynamically linked executable or by the C library for a statically linked executable.


What did I learn today?

  • Presence of ptr_guard / pointer mangling on tls_dtor_list since 2016
  • How does the pointer guard work


Leave a Reply

Your email address will not be published. Required fields are marked *