A Bug Hunter's Diary — Notes

Clickable, chapter-by-chapter notes for the book »A Bug Hunter's Diary« (last updated in June 2016).


Chapter:

Chapter 1 — Bug Hunting

Chapter 2 — Back to the 90s

Chapter 3 — Escape from WWW Zone

Chapter 4 — NULL Pointer FTW

Chapter 5 — Browse and you're Owned

Chapter 6 — One Kernel to Rule them all

Chapter 7 — A Bug Older Than 4.4BSD

Chapter 8 — The Ringtone Massacre

Appendix A — Hints for Hunting

Appendix B — Debugging

Appendix C — Mitigation


►  Chapter 1 — Bug Hunting

1. See Pedram Amini, "Mostrame la guita! Adventures in Buying Vulnerabilities," 2009, http://docs.google.com/present/view?id=dcc6wpsd_20ghbpjxcr; Charlie Miller, "The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales," 2007, http://weis2007.econinfosec.org/papers/29.pdf; iDefense Labs Vulnerability Contribution Program, https://labs.idefense.com/vcpportal/login.html; TippingPoint's Zero Day Initiative, http://www.zerodayinitiative.com/.

2. See Common Weakness Enumeration, CWE List, CWE - Individual Dictionary Definition (2.9), CWE-665: Improper Initialization at http://cwe.mitre.org/data/definitions/665.html.

3. See Common Weakness Enumeration, CWE List, CWE - Individual Dictionary Definition (2.9), CWE-415: Double Free at http://cwe.mitre.org/data/definitions/415.html.

4. See http://www.hex-rays.com/products/ida/index.shtml.

5. See Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 1: Basic Architecture at http://www.intel.com/products/processor/manuals/.




►  Chapter 2 — Back to the 90s

1. See Dick Grune and Ceriel J.H. Jacobs, Parsing Techniques: A Practical Guide, 2nd ed. (New York: Springer Science+Business Media, 2008), 1.

2. The vulnerable source code version of VLC can be downloaded at http://download.videolan.org/pub/videolan/vlc/0.9.4/vlc-0.9.4.tar.bz2.

3. Immunity Debugger is a great Windows debugger based on OllyDbg. It comes with a nice GUI and a lot of extra features and plug-ins to support bug hunting and exploit development. It can be found at http://www.immunityinc.com/products/debugger/index.html.

4. See David Litchfield, "Variations in Exploit Methods Between Linux and Windows," 2003, https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf.

5. See http://www.trapkit.de/books/bhd/.

6. For more information on responsible, coordinated, and full disclosure as well as the commercial vulnerability market, consult Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammel, "Modelling the Security Ecosystem-The Dynamics of (In)Security," 2009, http://www.techzoom.net/Papers/Modeling_The_Security_Ecosystem_(2009).pdf.

7. The Git repository of VLC can be found at http://git.videolan.org/. The first fix issued for this bug can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133.

8. The fix for the subsequent VLC bug that I found can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3.

9. To download Process Explorer, visit http://technet.microsoft.com/en-en/sysinternals/bb896653/.

10. See http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.

11. LookingGlass was a handy tool to scan a directory structure or the running processes to report which binaries do not make use of ASLR and NX. Unfortunately, LookingGlass is no longer available for download.

12. To download BinScope Binary analyzer, visit http://go.microsoft.com/?linkid=9678113.

13. A good article on the exploit mitigation techniques introduced by Microsoft Visual C++ 2005 SP1 and later: Michael Howard, "Protecting Your Code with Visual C++ Defenses," MSDN Magazine, March 2008, http://download.microsoft.com/download/3/A/7/3A7FA450-1F33-41F7-9E6D-3AA95B5A6AEA/MSDNMagazineMarch2008en-us.chm.

14. See http://www.cygwin.com/.

15. The Enhanced Mitigation Experience Toolkit is available at https://microsoft.com/emet/.

16. My security advisory that describes the details of the VLC vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-010.txt.

17. See http://cve.mitre.org/cve/identifiers/index.html.




►  Chapter 3 — Escape from WWW Zone

1. After the acquisition of Sun Microsystems, Oracle decided to discontinue the OpenSolaris distribution and the development model, effectively turning Solaris back into a closed source proprietary operating system.

2. See http://en.wikipedia.org/wiki/Ioctl.

3. For more information on the IP-in-IP tunneling mechanism, refer to http://docs.oracle.com/cd/E19455-01/806-0636/6j9vq2bum/index.html.

4. See the STREAMS Programming Guide from Sun Microsystems Inc., which can be downloaded at http://docs.oracle.com/cd/E19504-01/802-5893/802-5893.pdf.

5. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the source code file at http://trapkit.de/books/bhd/chapter3/stream.h.

6. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the source code file at http://trapkit.de/books/bhd/chapter3/ip.c.

7. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the source code file at http://trapkit.de/books/bhd/chapter3/ip_if.c.

8. The official Oracle Solaris Modular Debugger Guide can be found at http://docs.oracle.com/cd/E19253-01/816-5041/.

9. For more information, refer to the paper "Attacking the Core: Kernel Exploiting Notes" by twiz & sgrakkyu, which can be found at http://phrack.org/issues/64/6.html.

10. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the source code file at http://trapkit.de/books/bhd/chapter3/startup.c.

11. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the source code file at http://trapkit.de/books/bhd/chapter3/putnext.c.

12. See http://www.trapkit.de/books/bhd/.

13. Since the official source tree of OpenSolaris is no longer available, you can find a copy of the patch at http://trapkit.de/books/bhd/chapter3/ip_if.c.diff.

14. My security advisory that describes the details of the Solaris kernel vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-015.txt.




►  Chapter 4 — NULL Pointer FTW

1. See http://wiki.multimedia.cx/index.php?title=YouTube.

2. See http://ffmpeg.org/download.html.

3. See http://www.trapkit.de/books/bhd/.

4. A detailed description of the 4X movie file format can be found at http://wiki.multimedia.cx/index.php?title=4xm_Format.

5. See http://www.trapkit.de/books/bhd/.

6. The patch from the FFmpeg maintainers can be found at http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0838cfdc8a10185604db5cd9d6bffad71279a0e8.

7. For more information on type conversions and associated security problems consult Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (Indianapolis, IN: Addison-Wesley Professional, 2007). See also the sample chapter available at http://ptgmedia.pearsoncmg.com/images/0321444426/samplechapter/Dowd_ch06.pdf.

8. My security advisory that describes the details of the FFmpeg vulnerability can be found at http://www.trapkit.de/advisories/TKADV2009-004.txt.




►  Chapter 5 — Browse and you're Owned

1. COMRaider from iDefense is a great tool to enumerate and fuzz COM object interfaces. COMRaider is no longer available on the iDefense website, but you can find a copy at http://sandsprite.com/tools.php?id=16 or https://github.com/dzzie/COMRaider.

2. For more information, consult "Safe Initialization and Scripting for ActiveX Controls" at http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx.

3. See "Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer" at http://blogs.technet.com/srd/archive/2008/02/03/activex-controls.aspx.

4. For more information on cross-site scripting, refer to https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).

5. See "MindshaRE: Finding ActiveX Methods Dynamically" at http://dvlabs.tippingpoint.com/blog/2009/06/01/mindshare-finding-activex-methods-dynamically/.

6. See http://msdn.microsoft.com/en-us/library/9a16d4e4-a03d-459d-a2ec-3258499f6932(VS.85).

7. WinDbg is the "official" Windows Debugger from Microsoft and is distributed as part of the free "Debugging Tools for Windows" suite, available at http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

8. See http://www.hex-rays.com/products/ida/index.shtml.

9. See http://www.trapkit.de/books/bhd/.

10. See http://seclists.org/fulldisclosure/2008/Aug/83.

11. For more information on Microsoft's SiteLock, see http://msdn.microsoft.com/en-us/library/bb250471%28VS.85%29.aspx.

12. My security advisory that describes the details of the WebEx Meeting Manager vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-009.txt.




►  Chapter 6 — One Kernel to Rule them all

1. See SANS Top 20 Internet Security Problems, Threats and Risks (2007 Annual Update), http://web.archive.org/web/20071211192301/http://www.sans.org/top20/2007/.

2. See http://www.virustotal.com/.

3. See http://www.avast.com/.

4. See http://www.vmware.com/.

5. WinDbg, the "official" Windows Debugger from Microsoft, is distributed as part of the free "Debugging Tools for Windows" suite available at http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

6. You can find a download link for a vulnerable trial version of avast! Professional 4.7 at http://www.trapkit.de/books/bhd/.

7. See http://www.nirsoft.net/utils/driverview.html.

8. See http://www.hex-rays.com/products/ida/index.shtml.

9. See Mark E. Russinovich and David A. Solomon, Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000, 4th ed. (Redmond, WA: Microsoft Press, 2005).

10. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Standard Driver Routines: DriverEntry at http://msdn.microsoft.com/en-us/library/ff544113.aspx.

11. WinObj is available at http://technet.microsoft.com/en-us/sysinternals/bb896657.aspx.

12. The Windows Driver Kit can be downloaded at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.

13. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Standard Driver Routines: DispatchDeviceControl available at http://msdn.microsoft.com/en-us/library/ff543287.aspx.

14. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Kernel Data Types: System-Defined Data Structures: IRP available at http://msdn.microsoft.com/en-us/library/ff550694.aspx.

15. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Design Guide: Writing WDM Drivers: Managing Input/Output for Drivers: Handling IRPs: Using I/O Control Codes: Buffer Descriptions for I/O Control Codes available at http://msdn.microsoft.com/en-us/library/ff540663.aspx.

16. See Jamie Butler, DKOM (Direct Kernel Object Manipulation) (presentation, Black Hat Europe, Amsterdam, May 2004), at http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.

17. See http://www.trapkit.de/books/bhd/.

18. My security advisory that describes the details of the avast! vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-002.txt.




►  Chapter 7 — A Bug Older Than 4.4BSD

1. The vulnerable source code revision 792.13.8 of XNU can be downloaded at http://www.opensource.apple.com/tarballs/xnu/xnu-792.13.8.tar.gz.

2. See "'You need to restart your computer' (kernel panic) message appears (Mac OS X v10.5, 10.6)" at http://support.apple.com/kb/TS3742.

3. See "Kernel Extension Programming Topics: Debugging a Kernel Extension with GDB" in Mac OS X Developer Library at http://developer.apple.com/library/mac/#documentation/
Darwin/Conceptual/KEXTConcept/KEXTConceptDebugger/debug_tutorial.html
and "Kernel Programming Guide: When Things Go Wrong; Debugging the Kernel" in Mac OS X Developer Library at http://developer.apple.com/library/mac/documentation/Darwin/Conceptual/
KernelProgramming/build/build.html#//apple_ref/doc/uid/TP30000905-CH221-CIHBJCGC
.

4. See http://www.trapkit.de/books/bhd/.

5. The source code of the fixed XNU version 792.24.17 is available at http://www.opensource.apple.com/tarballs/xnu/xnu-792.24.17.tar.gz.

6. My security advisory that describes the details of the Mac OS X kernel vulnerability can be found at http://www.trapkit.de/advisories/TKADV2007-001.txt.

7. The initial FreeBSD version of tty.c from 1994 can be found at http://svnweb.freebsd.org/base/head/sys/kern/tty.c?revision=1541&view=markup.




►  Chapter 8 — The Ringtone Massacre

1. See http://en.wikipedia.org/wiki/IOS_jailbreaking.

2. See http://cydia.saurik.com/.

3. See "iOS Developer Library: Core Audio Overview" at http://developer.apple.com/
/library/ios/documentation/MusicAudio/Conceptual/CoreAudioOverview/
Introduction/Introduction.html
.

4. See "iOS Developer Library: Audio Toolbox Framework Reference" at https://developer.apple.com/library/ios/documentation/MusicAudio/Reference/CAAudioTooboxRef/.

5. See http://en.wikipedia.org/wiki/Advanced_Audio_Coding.

6. See http://ericasadun.com/ftp/EricaUtilities/.

7. The QuickTime File Format Specification is available at http://developer.apple.com/
library/mac/documentation/QuickTime/QTFF/QTFFPreface/qtffPreface.html
.

8. My security advisory that describes the details of the iPhone vulnerability can be found at http://www.trapkit.de/advisories/TKADV2010-002.txt.




►  Appendix A — Hints for Hunting

1. For a description of ELF, see TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, Version 1.2, 1995, at https://refspecs.linuxbase.org/
elf/elf.pdf
.




►  Appendix B — Debugging

1. The official Oracle Solaris Modular Debugger Guide can be found at http://docs.oracle.com/cd/E19253-01/816-5041/.

2. See http://www.vmware.com/.

3. See http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

4. See http://www.gnu.org/software/gdb/documentation/.

5. There are still a few download mirror sites available where you can get the Red Hat 7.3 ISO images. Here are a few, as of this writing: http://ftp-stud.hs-esslingen.de/Mirrors/
archive.download.redhat.com/redhat/linux/7.3/en/iso/i386/
, http://mirror.fraunhofer.de/archive.download.redhat.com/redhat/linux/7.3/en/iso/i386/, and http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/.

6. Apple's custom gdb version can be downloaded at http://www.opensource.apple.com/tarballs/gdb/gdb-292.tar.gz.

7. The standard gdb version from GNU can be downloaded at http://ftp.gnu.org/pub/gnu/gdb/gdb-5.3.tar.gz.

8. The patch for Apple's GNU debugger is available at http://www.trapkit.de/books/bhd/osx_gdb.patch.

9. The XNU version 792.13.8 can be downloaded at http://www.opensource.apple.com/tarballs/xnu/xnu-792.13.8.tar.gz.




►  Appendix C — Mitigation

1. See Rob King, "New Leopard Security Features-Part I: ASLR," DVLabs Tipping Point (blog), November 7, 2007, http://dvlabs.tippingpoint.com/blog/2007/11/07/leopard-aslr.

2. See Tim Burrell, "GS Cookie Protection-Effectiveness and Limitations," Microsoft TechNet Blogs: Security Research & Defense (blog), March 16, 2009, http://blogs.technet.com/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations.aspx; "Enhanced GS in Visual Studio 2010," Microsoft TechNet Blogs: Security Research & Defense (blog), March 20, 2009, http://blogs.technet.com/srd/archive/2009/03/20/enhanced-gs-in-visual-studio-2010.aspx; "Stack Smashing Protector," http://wiki.osdev.org/Stack_Smashing_Protector.

3. See http://people.redhat.com/mingo/exec-shield/.

4. See the home page of the PaX team at http://pax.grsecurity.net/ as well as the grsecurity website at http://www.grsecurity.net/.

5. See Robert Hensing, "Understanding DEP as a Mitigation Technology Part 1," Microsoft TechNet Blogs: Security Research & Defense (blog), June 12, 2009, http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.

6. See http://technet.microsoft.com/en-en/sysinternals/bb896653/.

7. For more information, see the Secunia study by Alin Rad Pop, "DEP/ASLR Implementation Progress in Popular Third-party Windows Applications," 2010, http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf.

8. To download BinScope Binary Analyzer, visit http://go.microsoft.com/?linkid=9678113.

9. See http://www.trapkit.de/tools/checksec.html.

10. See TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, version 1.2, 1995, https://refspecs.linuxbase.org/elf/elf.pdf.

11. See note 9 above.

12. See Chris Rohlf, "Self Protecting Global Offset Table (GOT)," draft version 1.4, August 2008, https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/em386/Self-Protecting-GOT.html.

13. See "Introduction to Solaris Zones: Features Provided by Non-Global Zones," System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, 2010, http://docs.oracle.com/cd/E19455-01/817-1592/zones.intro-9/index.html.

14. See "Solaris Zones Administration (Overview): Privileges in a Non-Global Zone," System Administration Guide: Oracle Solaris Containers - Resource Management and Oracle Solaris Zones, 2010, http://docs.oracle.com/cd/E19455-01/817-1592/z.admin.ov-18/index.html.

15. See http://www.trapkit.de/books/bhd/.