A Bug Hunter's Diary - Notes

Clickable, chapter-by-chapter notes for the book »A Bug Hunter's Diary«


Chapter 1 - Bug Hunting

Chapter 2 - Back to the 90s

Chapter 3 - Escape from WWW Zone

Chapter 4 - NULL Pointer FTW

Chapter 5 - Browse and you're Owned

Chapter 6 - One Kernel to Rule them all

Chapter 7 - A Bug Older Than 4.4BSD

Chapter 8 - The Ringtone Massacre

Appendix A - Hints for Hunting

Appendix B - Debugging

Appendix C - Mitigation

►  Chapter 1 - Bug Hunting

1. See Pedram Amini, "Mostrame la guita! Adventures in Buying Vulnerabilities," 2009, http://docs.google.com/present/view?id=dcc6wpsd_20ghbpjxcr; Charlie Miller, "The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales," 2007, http://weis2007.econinfosec.org/papers/29.pdf; iDefense Labs Vulnerability Contribution Program, https://labs.idefense.com/vcpportal/login.html; TippingPoint's Zero Day Initiative, http://www.zerodayinitiative.com/.

2. See Daniel Hodson, "Uninitialized Variables: Finding, Exploiting, Automating" (presentation, Ruxcon, 2008), http://felinemenace.org/~mercy/slides/RUXCON2008-UninitializedVariables.pdf.

3. See Common Weakness Enumeration, CWE List, CWE - Individual Dictionary Definition (2.0), CWE-415: Double Free at http://cwe.mitre.org/data/definitions/415.html.

4. See http://www.hex-rays.com/products/ida/index.shtml.

5. See Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 1: Basic Architecture at http://www.intel.com/products/processor/manuals/.

►  Chapter 2 - Back to the 90s

1. See Dick Grune and Ceriel J.H. Jacobs, Parsing Techniques: A Practical Guide, 2nd ed. (New York: Springer Science+Business Media, 2008), 1.

2. The vulnerable source code version of VLC can be downloaded at http://download.videolan.org/pub/videolan/vlc/0.9.4/vlc-0.9.4.tar.bz2.

3. Immunity Debugger is a great Windows debugger based on OllyDbg. It comes with a nice GUI and a lot of extra features and plug-ins to support bug hunting and exploit development. It can be found at http://www.immunityinc.com/products-immdbg.shtml.

4. See David Litchfield, "Variations in Exploit Methods Between Linux and Windows," 2003, http://www.nccgroup.com/Libraries/Document_Downloads/Variations_in_Exploit_methods_

5. See http://www.trapkit.de/books/bhd/.

6. For more information on responsible, coordinated, and full disclosure as well as the commercial vulnerability market, consult Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammel, "Modelling the Security Ecosystem-The Dynamics of (In)Security," 2009, http://www.techzoom.net/publications/security-ecosystem/.

7. The Git repository of VLC can be found at http://git.videolan.org/. The first fix issued for this bug can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133.

8. The fix for the subsequent VLC bug that I found can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3.

9. To download Process Explorer, visit http://technet.microsoft.com/en-en/sysinternals/bb896653/.

10. See http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.

11. LookingGlass is a handy tool to scan a directory structure or the running processes to report which binaries do not make use of ASLR and NX. It can be found at http://www.erratasec.com/lookingglass.html.

12. To download BinScope Binary analyzer, visit http://go.microsoft.com/?linkid=9678113.

13. A good article on the exploit mitigation techniques introduced by Microsoft Visual C++ 2005 SP1 and later: Michael Howard, "Protecting Your Code with Visual C++ Defenses," MSDN Magazine, March 2008, http://msdn.microsoft.com/en-us/magazine/cc337897.aspx.

14. See http://www.cygwin.com/.

15. The Enhanced Mitigation Experience Toolkit is available at http://blogs.technet.com/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx.

16. My security advisory that describes the details of the VLC vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-010.txt.

17. See http://cve.mitre.org/cve/identifiers/index.html.

►  Chapter 3 - Escape from WWW Zone

1. The source code of OpenSolaris can be downloaded at http://dlc.sun.com/osol/on/downloads/.

2. See http://en.wikipedia.org/wiki/Ioctl.

3. For more information on the IP-in-IP tunneling mechanism, refer to http://download.oracle.com/docs/cd/E19455-01/806-0636/6j9vq2bum/index.html.

4. See the STREAMS Programming Guide from Sun Microsystems Inc., which can be downloaded at http://download.oracle.com/docs/cd/E19504-01/802-5893/802-5893.pdf.

5. OpenGrok source browser reference of OpenSolaris: http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/sys/stream.h?r=4823%3A7c9aaea16585.

6. OpenGrok source browser reference of OpenSolaris: http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip.c?r=4823%3A7c9aaea16585.

7. OpenGrok source browser reference of OpenSolaris: http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c?r=5240%3Ae7599510dd03.

8. The official Solaris Modular Debugger Guide can be found at http://dlc.sun.com/osol/docs/content/MODDEBUG/moddebug.html.

9. For more information, refer to the paper "Attacking the Core: Kernel Exploiting Notes" by twiz & sgrakkyu, which can be found at http://www.phrack.com/issues.html?issue=64&id=6.

10. More information on the virtual address space of Solaris processes can be found at http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/i86pc/os/startup.c?r=10942:eaa343de0d06.

11. OpenGrok source browser reference of OpenSolaris: http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/os/putnext.c?r=0%3A68f95e015346.

12. See http://www.trapkit.de/books/bhd/.

13. The patch from Sun can be found at http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c?r1=/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c@5240&r2=/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c@5335&format=s&full=0.

14. My security advisory that describes the details of the Solaris kernel vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-015.txt.

►  Chapter 4 - NULL Pointer FTW

1. See http://wiki.multimedia.cx/index.php?title=YouTube.

2. See http://ffmpeg.org/download.html.

3. See http://www.trapkit.de/books/bhd/.

4. A detailed description of the 4X movie file format can be found at http://wiki.multimedia.cx/index.php?title=4xm_Format.

5. See http://www.trapkit.de/books/bhd/.

6. The patch from the FFmpeg maintainers can be found at http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0838cfdc8a10185604db5cd9d6bffad71279a0e8.

7. For more information on type conversions and associated security problems consult Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (Indianapolis, IN: Addison-Wesley Professional, 2007). See also the sample chapter available at http://ptgmedia.pearsoncmg.com/images/0321444426/samplechapter/Dowd_ch06.pdf.

8. My security advisory that describes the details of the FFmpeg vulnerability can be found at http://www.trapkit.de/advisories/TKADV2009-004.txt.

►  Chapter 5 - Browse and you're Owned

1. COMRaider from iDefense is a great tool to enumerate and fuzz COM object interfaces. See http://labs.idefense.com/software/download/?downloadID=23.

2. For more information, consult "Safe Initialization and Scripting for ActiveX Controls" at http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx.

3. See "Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer" at http://blogs.technet.com/srd/archive/2008/02/03/activex-controls.aspx.

4. For more information on cross-site scripting, refer to https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).

5. See "MindshaRE: Finding ActiveX Methods Dynamically" at http://dvlabs.tippingpoint.com/blog/2009/06/01/mindshare-finding-activex-methods-dynamically/.

6. See http://msdn.microsoft.com/en-us/library/9a16d4e4-a03d-459d-a2ec-3258499f6932(VS.85).

7. WinDbg is the "official" Windows Debugger from Microsoft and is distributed as part of the free "Debugging Tools for Windows" suite, available at http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

8. See http://www.hex-rays.com/products/ida/index.shtml.

9. See http://www.trapkit.de/books/bhd/.

10. See http://seclists.org/fulldisclosure/2008/Aug/83.

11. For more information on Microsoft's SiteLock, see http://msdn.microsoft.com/en-us/library/bb250471%28VS.85%29.aspx.

12. My security advisory that describes the details of the WebEx Meeting Manager vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-009.txt.

►  Chapter 6 - One Kernel to Rule them all

1. See SANS Top 20 Internet Security Problems, Threats and Risks (2007 Annual Update), http://www.sans.org/top20/2007/.

2. See http://www.virustotal.com/.

3. See http://www.avast.com/.

4. See http://www.vmware.com/.

5. WinDbg, the "official" Windows Debugger from Microsoft, is distributed as part of the free "Debugging Tools for Windows" suite available at http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

6. You can find a download link for a vulnerable trial version of avast! Professional 4.7 at http://www.trapkit.de/books/bhd/.

7. See http://www.nirsoft.net/utils/driverview.html.

8. See http://www.hex-rays.com/products/ida/index.shtml.

9. See Mark E. Russinovich and David A. Solomon, Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000, 4th ed. (Redmond, WA: Microsoft Press, 2005).

10. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Standard Driver Routines: DriverEntry at http://msdn.microsoft.com/en-us/library/ff544113.aspx.

11. WinObj is available at http://technet.microsoft.com/en-us/sysinternals/bb896657.aspx.

12. The Windows Driver Kit can be downloaded at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.

13. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Standard Driver Routines: DispatchDeviceControl available at http://msdn.microsoft.com/en-us/library/ff543287.aspx.

14. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Reference: Kernel Data Types: System-Defined Data Structures: IRP available at http://msdn.microsoft.com/en-us/library/ff550694.aspx.

15. See MSDN Library: Windows Development: Windows Driver Kit: Kernel-Mode Driver Architecture: Design Guide: Writing WDM Drivers: Managing Input/Output for Drivers: Handling IRPs: Using I/O Control Codes: Buffer Descriptions for I/O Control Codes available at http://msdn.microsoft.com/en-us/library/ff540663.aspx.

16. See Jamie Butler, DKOM (Direct Kernel Object Manipulation) (presentation, Black Hat Europe, Amsterdam, May 2004), at http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.

17. See http://www.trapkit.de/books/bhd/.

18. My security advisory that describes the details of the avast! vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-002.txt.

►  Chapter 7 - A Bug Older Than 4.4BSD

1. The vulnerable source code revision 792.13.8 of XNU can be downloaded at http://www.opensource.apple.com/tarballs/xnu/xnu-792.13.8.tar.gz.

2. See "'You need to restart your computer' (kernel panic) message appears (Mac OS X v10.5, 10.6)" at http://support.apple.com/kb/TS3742.

3. See "Kernel Extension Programming Topics: Debugging a Kernel Extension with GDB" in Mac OS X Developer Library at http://developer.apple.com/library/mac/#documentation/
and "Kernel Programming Guide: When Things Go Wrong; Debugging the Kernel" in Mac OS X Developer Library at http://developer.apple.com/library/mac/documentation/Darwin/Conceptual/

4. See http://www.trapkit.de/books/bhd/.

5. The source code of the fixed XNU version 792.24.17 is available at http://www.opensource.apple.com/tarballs/xnu/xnu-792.24.17.tar.gz.

6. My security advisory that describes the details of the Mac OS X kernel vulnerability can be found at http://www.trapkit.de/advisories/TKADV2007-001.txt.

7. The initial FreeBSD version of tty.c from 1994 can be found at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/tty.c?rev=1.1;content-type=text/plain.

►  Chapter 8 - The Ringtone Massacre

1. See http://en.wikipedia.org/wiki/IOS_jailbreaking.

2. See http://cydia.saurik.com/.

3. See "iOS Developer Library: Core Audio Overview" at http://developer.apple.com/

4. See "iOS Developer Library: Audio Toolbox Framework Reference" at http://developer.apple.com/library/ios/#documentation/MusicAudio/Reference/

5. See http://en.wikipedia.org/wiki/Advanced_Audio_Coding.

6. See http://ericasadun.com/ftp/EricaUtilities/.

7. The QuickTime File Format Specification is available at http://developer.apple.com/

8. My security advisory that describes the details of the iPhone vulnerability can be found at http://www.trapkit.de/advisories/TKADV2010-002.txt.

►  Appendix A - Hints for Hunting

1. For a description of ELF, see TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, Version 1.2, 1995, at http://refspecs.freestandards.org/

►  Appendix B - Debugging

1. See the Solaris Modular Debugger Guide at http://dlc.sun.com/osol/docs/content/MODDEBUG/moddebug.html.

2. See http://www.vmware.com/.

3. See http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

4. See http://www.gnu.org/software/gdb/documentation/.

5. There are still a few download mirror sites available where you can get the Red Hat 7.3 ISO images. Here are a few, as of this writing: http://ftp-stud.hs-esslingen.de/Mirrors/
, http://mirror.fraunhofer.de/archive.download.redhat.com/redhat/linux/7.3/en/iso/i386/, and http://mirror.cs.wisc.edu/pub/mirrors/linux/archive.download.redhat.com/redhat/

6. Apple's custom gdb version can be downloaded at http://www.opensource.apple.com/tarballs/gdb/gdb-292.tar.gz.

7. The standard gdb version from GNU can be downloaded at http://ftp.gnu.org/pub/gnu/gdb/gdb-5.3.tar.gz.

8. The patch for Apple's GNU debugger is available at http://www.trapkit.de/books/bhd/osx_gdb.patch.

9. The XNU version 792.13.8 can be downloaded at http://www.opensource.apple.com/tarballs/xnu/xnu-792.13.8.tar.gz.

►  Appendix C - Mitigation

1. See Rob King, "New Leopard Security Features-Part I: ASLR," DVLabs Tipping Point (blog), November 7, 2007, http://dvlabs.tippingpoint.com/blog/2007/11/07/leopard-aslr.

2. See Tim Burrell, "GS Cookie Protection-Effectiveness and Limitations," Microsoft TechNet Blogs: Security Research & Defense (blog), March 16, 2009, http://blogs.technet.com/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations.aspx; "Enhanced GS in Visual Studio 2010," Microsoft TechNet Blogs: Security Research & Defense (blog), March 20, 2009, http://blogs.technet.com/srd/archive/2009/03/20/enhanced-gs-in-visual-studio-2010.aspx; IBM Research "GCC Extension for Protecting Applications from Stack-Smashing Attacks," last updated August 22, 2005, http://researchweb.watson.ibm.com/trl/projects/security/ssp/.

3. See http://people.redhat.com/mingo/exec-shield/.

4. See the home page of the PaX team at http://pax.grsecurity.net/ as well as the grsecurity website at http://www.grsecurity.net/.

5. See Robert Hensing, "Understanding DEP as a Mitigation Technology Part 1," Microsoft TechNet Blogs: Security Research & Defense (blog), June 12, 2009, http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.

6. See http://technet.microsoft.com/en-en/sysinternals/bb896653/.

7. For more information, see the Secunia study by Alin Rad Pop, "DEP/ASLR Implementation Progress in Popular Third-party Windows Applications," 2010, http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf.

8. To download BinScope Binary Analyzer, visit http://go.microsoft.com/?linkid=9678113.

9. See http://www.trapkit.de/tools/checksec.html.

10. See TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, version 1.2, 1995, http://refspecs.freestandards.org/elf/elf.pdf.

11. See note 9 above.

12. See Chris Rohlf, "Self Protecting Global Offset Table (GOT)," draft version 1.4, August 2008, http://code.google.com/p/em386/downloads/detail?name=Self-Protecting-GOT.html.

13. See "Introduction to Solaris Zones: Features Provided by Non-Global Zones," System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, 2010, http://download.oracle.com/docs/cd/E19455-01/817-1592/zones.intro-9/index.html.

14. See "Solaris Zones Administration (Overview): Privileges in a Non-Global Zone," System Administration Guide:Virtualization Using the Solaris Operating System, 2010, http://download.oracle.com/docs/cd/E19082-01/819-2450/z.admin.ov-18/index.html.

15. See http://www.trapkit.de/books/bhd/.