You are previewing A Bug Hunter's Diary.
O'Reilly logo
A Bug Hunter's Diary

Book Description

"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."

–Felix 'FX' Lindner

A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software.

Table of Contents

  1. A Bug Hunter's Diary
    1. Acknowledgments
    2. Introduction
      1. The Goals of This Book
      2. Who Should Read the Book
      3. Disclaimer
      4. Resources
    3. 1. Bug Hunting
      1. 1.1 For Fun and Profit
      2. 1.2 Common Techniques
        1. My Preferred Techniques
        2. Potentially Vulnerable Code Locations
        3. Fuzzing
        4. Further Reading
      3. 1.3 Memory Errors
      4. 1.4 Tools of the Trade
        1. Debuggers
        2. Disassemblers
      5. 1.5 EIP = 41414141
      6. 1.6 Final Note
        1. Notes
    4. 2. Back to the ’90s
      1. 2.1 Vulnerability Discovery
        1. Step 1: Generate a List of the Demuxers of VLC
        2. Step 2: Identify the Input Data
        3. Step 3: Trace the Input Data
      2. 2.2 Exploitation
        1. Step 1: Find a Sample TiVo Movie File
        2. Step 2: Find a Code Path to Reach the Vulnerable Code
        3. Step 3: Manipulate the TiVo Movie File to Crash VLC
        4. Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
      3. 2.3 Vulnerability Remediation
      4. 2.4 Lessons Learned
      5. 2.5 Addendum
        1. Notes
    5. 3. Escape from the WWW Zone
      1. 3.1 Vulnerability Discovery
        1. Step 1: List the IOCTLs of the Kernel
        2. Step 2: Identify the Input Data
        3. Step 3: Trace the Input Data
      2. 3.2 Exploitation
        1. Step 1: Trigger the NULL Pointer Dereference for a Denial of Service
        2. Step 2: Use the Zero Page to Get Control over EIP/RIP
      3. 3.3 Vulnerability Remediation
      4. 3.4 Lessons Learned
      5. 3.5 Addendum
        1. Notes
    6. 4. NULL Pointer FTW
      1. 4.1 Vulnerability Discovery
        1. Step 1: List the Demuxers of FFmpeg
        2. Step 2: Identify the Input Data
        3. Step 3: Trace the Input Data
      2. 4.2 Exploitation
        1. Step 1: Find a Sample 4X Movie File with a Valid strk Chunk
        2. Step 2: Learn About the Layout of the strk Chunk
        3. Step 3: Manipulate the strk Chunk to Crash FFmpeg
        4. Step 4: Manipulate the strk Chunk to Gain Control over EIP
      3. 4.3 Vulnerability Remediation
      4. 4.4 Lessons Learned
      5. 4.5 Addendum
        1. Notes
    7. 5. Browse and You’re Owned
      1. 5.1 Vulnerability Discovery
        1. Step 1: List the Registered WebEx Objects and Exported Methods
        2. Step 2: Test the Exported Methods in the Browser
        3. Step 3: Find the Object Methods in the Binary
        4. Step 4: Find the User-Controlled Input Values
        5. Step 5: Reverse Engineer the Object Methods
      2. 5.2 Exploitation
      3. 5.3 Vulnerability Remediation
      4. 5.4 Lessons Learned
      5. 5.5 Addendum
        1. Notes
    8. 6. One Kernel to Rule Them All
      1. 6.1 Vulnerability Discovery
        1. Step 1: Prepare a VMware Guest for Kernel Debugging
        2. Step 2: Generate a List of the Drivers and Device Objects Created by avast!
        3. Step 3: Check the Device Security Settings
        4. Step 4: List the IOCTLs
        5. Step 5: Find the User-Controlled Input Values
        6. Step 6: Reverse Engineer the IOCTL Handler
      2. 6.2 Exploitation
      3. 6.3 Vulnerability Remediation
      4. 6.4 Lessons Learned
      5. 6.5 Addendum
        1. Notes
    9. 7. A Bug Older Than 4.4BSD
      1. 7.1 Vulnerability Discovery
        1. Step 1: List the IOCTLs of the Kernel
        2. Step 2: Identify the Input Data
        3. Step 3: Trace the Input Data
      2. 7.2 Exploitation
        1. Step 1: Trigger the Bug to Crash the System (Denial of Service)
        2. Step 2: Prepare a Kernel-Debugging Environment
        3. Step 3: Connect the Debugger to the Target System
        4. Step 4: Get Control over EIP
      3. 7.3 Vulnerability Remediation
      4. 7.4 Lessons Learned
      5. 7.5 Addendum
        1. Notes
    10. 8. The Ringtone Massacre
      1. 8.1 Vulnerability Discovery
        1. Step 1: Research the iPhone’s Audio Capabilities
        2. Step 2: Build a Simple Fuzzer and Fuzz the Phone
      2. 8.2 Crash Analysis and Exploitation
      3. 8.3 Vulnerability Remediation
      4. 8.4 Lessons Learned
      5. 8.5 Addendum
        1. Notes
    11. A. Hints for Hunting
      1. A.1 Stack Buffer Overflows
        1. Example: Stack Buffer Overflow Under Linux
        2. Example: Stack Buffer Overflow Under Windows
      2. A.2 NULL Pointer Dereferences
      3. A.3 Type Conversions in C
      4. A.4 GOT Overwrites
        1. Notes
    12. B. Debugging
      1. B.1 The Solaris Modular Debugger (mdb)
        1. Starting and Stopping mdb
        2. General Commands
        3. Breakpoints
        4. Running the Debuggee
        5. Examining Data
        6. Information Commands
        7. Other Commands
      2. B.2 The Windows Debugger (WinDbg)
        1. Starting and Stopping a Debugging Session
        2. General Commands
        3. Breakpoints
        4. Running the Debuggee
        5. Examining Data
        6. Information Commands
        7. Other Commands
      3. B.3 Windows Kernel Debugging
        1. Step 1: Configure the VMware Guest System for Remote Kernel Debugging
        2. Step 2: Adjust the boot.ini of the Guest System
        3. Step 3: Configure WinDbg on the VMware Host for Windows Kernel Debugging
      4. B.4 The GNU Debugger (gdb)
        1. Starting and Stopping gdb
        2. General Commands
        3. Breakpoints
        4. Running the Debuggee
        5. Examining Data
        6. Information Commands
        7. Other Commands
      5. B.5 Using Linux as a Mac OS X Kernel-Debugging Host
        1. Step 1: Install an Ancient Red Hat 7.3 Linux Operating System
        2. Step 2: Get the Necessary Software Packages
        3. Step 3: Build Apple’s Debugger on the Linux Host
        4. Step 4: Prepare the Debugging Environment
        5. Notes
    13. C. Mitigation
      1. C.1 Exploit Mitigation Techniques
        1. Address Space Layout Randomization (ASLR)
        2. Security Cookies (/GS), Stack-Smashing Protection (SSP), or Stack Canaries
        3. NX and DEP
        4. Detecting Exploit Mitigation Techniques
      2. C.2 RELRO
        1. Test Case 1: Partial RELRO
        2. Test Case 2: Full RELRO
        3. Conclusion
      3. C.3 Solaris Zones
        1. Terminology
        2. Set Up a Non-Global Solaris Zone
        3. Notes
    14. D. Updates
    15. Index
    16. About the Author
    17. Colophon