A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

Tobias Klein

Language: English

Pages: 208

ISBN: 1593273851

Format: PDF / Kindle (mobi) / ePub


"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional

"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner

Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.

A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.

Along the way you'll learn how to:

  • Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering
  • Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws
  • Develop proof of concept code that verifies the security flaw
  • Report bugs to vendors or third party brokers

A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

security settings of the device in WinObj, I right-clicked the device name, chose Properties from the option list, and then chose the Security tab. The device object allows every system user (Everyone group) to read from or to write to the device (see Figure 6-3). This means that every user of the system is allowed to send data to the IOCTLs implemented by the driver, which is great — this makes this driver a valuable target! Step 4: List the IOCTLs A Windows user space application must

0x10287 66183 cs 0x8 8 ss 0x10 16 ds 0x4b0010 4915216 es 0x340010 3407888 fs 0x25220010 622985232 gs 0x48 72 The debugger output shows that EAX had a value of 0xe0000000. It wasn’t apparent to me where this value came from, so I disassembled the instructions around EIP: (gdb) x/6i $eip - 15 0x35573d : mov %ebx,%eax 0x35573f : shl $0x5,%eax 0x355742 : mov %esi,0x4(%esp,1) 0x355746 : mov 0xffffffa8(%ebp),%ecx 0x355749

(*linesw[tp->t_line].l_close)(tp, flag); 1090 error = (*linesw[t].l_open)(device, tp); 1091 if (error) { 1092 (void)(*linesw[tp->t_line].l_open)(device, tp); 1093 splx(s); 1094 return (error); 1095 } 1096 tp->t_line = t; 1097 splx(s); 1098 } 1099 break; 1100 } [..] Line 1085 now checks whether the value of t is negative. If so, the user-derived data will not be processed any further. This little change was enough to successfully rectify the vulnerability. 7.4 Lessons Learned As a

Vulnerability Remediation Common Vulnerabilities and Exposures Identifiers (CVE-IDs), 2.5 Addendum CVE-2007-4686, 7.5 Addendum CVE-2008-1625, 6.5 Addendum CVE-2008-3558, 5.2 Exploitation CVE-2008-4654, 2.5 Addendum CVE-2008-568, 3.5 Addendum CVE-2009-0385, 4.5 Addendum CVE-2010-0036, 8.2 Crash Analysis and Exploitation COMRaider, Step 1: List the Registered WebEx Objects and Exported Methods coordinated disclosure, 2.3 Vulnerability Remediation Core Audio (Apple

failing to write a book of generalized instructions, I will describe the approaches and techniques that I used to find specific bugs in real-life software. Hopefully this book will help you develop your own style so you can find some interesting security-critical software bugs. 1.1 For Fun and Profit People who hunt for bugs have a variety of goals and motivations. Some independent bug hunters want to improve software security, while others seek personal gain in the form of fame, media

Download sample

Download