Arbitrary write vulnerability without buffer overflow

Question

I was diving into memory vulnerabilities (C/C++) and I am interested in knowing what kind of vulnerabilities allow an arbitrary memory write (or read) without exploiting a buffer overflow (or overread). The ultimate goal would be to reach an arbitrary location (target) exploiting a memory vulnerability (source), without accessing the memory between the target and the source. It doesn't matter if the location can be choosen, I'm only interested in the ability of reaching a distant location.

I know a possible example would be the use of the %n placeholder in the printf functions and similar (format string vulnerability). Are there any other?

I also know that corrupting an index somehow (maybe integer overflow) might lead to such an arbitrary write, like in the following example:

#include <stdlib.h>

void main(int argc, char ** argv){
    int c = atoi(*(argv+1)); //get value from input
    char buf[40000];    
    if(c>39999) return 1; //check boundary for buffer
    short ind = c; //wrong conversion --> integer overflow
    buf[ind] = 'c'; //Write to arbitrary location (negative index)
}

However, I wonder if there are more classical examples of such vulnerabilities. Thank you for your help!

Answer 1

Simply set a pointer to an arbitrary address and indirect through it.

#include <stdlib.h>

void main(int argc, char ** argv){
    char *c = (char *)strtoul(*(argv+1), NULL, 0); //get value from input
    *c = 'c';
}