A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

Tobias Klein

Language: English

Pages: 208

ISBN: 1593273851

Format: PDF / Kindle (mobi) / ePub


"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional

"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner

Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.

A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.

Along the way you'll learn how to:

  • Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering
  • Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws
  • Develop proof of concept code that verifies the security flaw
  • Report bugs to vendors or third party brokers

A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.

Graph Databases

Autonomic Computing: Concepts, Infrastructure, and Applications

Algorithmic Game Theory

Build Your Own PaaS with Docker

Introducing Maven

 

 

 

 

 

 

 

 

 

 

 

 

 

data[1] = 0x30; // ASCII zero 126 data[2] = 0x31; // the digit '1' 127 data[3] = 0x00; // NULL termination 128 129 //////////////////////////////////////////////// 130 // IOCTL request 131 syscall (SYS_ioctl, fd, SIOCGTUNPARAM, data); 132 133 printf ("[-] ERROR: triggering the NULL ptr deref failed\n"); 134 close (fd); 135 136 return 0; 137 } In line 19 of Example 3-2, the zero page is mapped using mmap(). But the most interesting part of the POC code is the layout of the zero page data (see

execution of the process: (gdb) continue Continuing. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000072 0x00000072 in ?? () After the crash, I looked at the stack location (memory address 0x1301bfc) where the MP4AudioStream::ParseHeader() function expects to find its saved program counter. (gdb) x/12x 0x1301bfc 0x1301bfc: 0x00000073 0x00000000 0x04000001 0x0400002d 0x1301c0c: 0x00000000 0x73747328 0x00000063 0x00000000

from Example A-1 without security cookie (/GS) support under Windows Vista SP2 (see Section C.1): C:\Users\tk\BHD>cl /nologo /GS- stackoverflow.c stackoverflow.c Then, I started the program in the debugger (see Section B.2 for more information about WinDbg) while supplying the same input data as in the Linux example above. As Figure A-2 shows, I got the same result as under Linux: control over the instruction pointer (see the EIP register). Figure A-2. Stack buffer overflow under Windows

of VLC from http://download.videolan.org/pub/videolan/vlc/0.9.4/win32/. Next, I tried to manipulate the TiVo sample file in order to crash VLC. To achieve this, all I had to do was change the 4-byte value at the sample file offset of i_map_size (which was 0x00300014 in this example). As illustrated in Figure 2-4, I changed the 32-bit value at file offset 0x00300014 from 0x00000002 to 0x000000ff. The new value of 255 bytes (0xff) should be enough to overflow the 32-byte stack buffer and to

Debugging WinDbg, Debuggers, Step 3: Find the Object Methods in the Binary, Step 4: List the IOCTLs, Step 5: Find the User-Controlled Input Values, 6.2 Exploitation, B.2 The Windows Debugger (WinDbg) demuxer, 2.1 Vulnerability Discovery, 4.1 Vulnerability Discovery DEP (Data Execution Prevention), 2.3 Vulnerability Remediation, Mitigation DeviceIoControl(), Step 4: List the IOCTLs Direct Kernel Object Manipulation (DKOM), 6.2 Exploitation disassemblers, Debuggers

Download sample

Download