a bug hunter diary

Download A Bug Hunter Diary

Post on 07-Oct-2014

242 views

Category:

Documents

8 download

Embed Size (px)

TRANSCRIPT

A Bug Hunters Diary

San Francisco

A Bug Hunters DiAry. Copyright 2011 by Tobias Klein. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 15 14 13 12 11 123456789

ISBN-10: 1-59327-385-1 ISBN-13: 978-1-59327-385-9 Publisher: William Pollock Production Editor: Alison Law Cover Illustration: Hugh DAndrade Developmental Editor: Sondra Silverhawk Technical Reviewer: Dan Rosenberg Copyeditor: Paula L. Fleming Compositor: Riley Hoffman Proofreader: Ward Webber For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 38 Ringold Street, San Francisco, CA 94103 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com Library of Congress Cataloging-in-Publication Data:Klein, Tobias. [Aus dem Tagebuch eines Bughunters. English] A bug hunter's diary : a guided tour through the wilds of software security / by Tobias Klein. p. cm. ISBN-13: 978-1-59327-385-9 ISBN-10: 1-59327-385-1 1. Debugging in computer science. 2. Computer security. 3. Malware (Computer software) I. Title. QA76.9.D43K5813 2011 005.8--dc23 2011033629

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

Brief Contents

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1: Bug Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 2: Back to the 90s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 3: Escape from the WWW Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Chapter 4: NULL Pointer FTW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Chapter 5: Browse and Youre Owned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter 6: One Kernel to Rule Them All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Chapter 7: A Bug Older Than 4 .4BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Chapter 8: The Ringtone Massacre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Appendix A: Hints for Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Appendix B: Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Appendix C: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Contents in DetAil

ACknowleDgments introDuCtionThe Goals of This Book . . . . Who Should Read the Book Disclaimer . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi 11 1 2 2

CHApter 1: Bug Hunting1 .1 1 .2 For Fun and Profit . . . . . . . . . Common Techniques . . . . . . . My Preferred Techniques . . Potentially Vulnerable Code Fuzzing . . . . . . . . . . . . . . Further Reading . . . . . . . . Memory Errors . . . . . . . . . . . . Tools of the Trade . . . . . . . . . Debuggers . . . . . . . . . . . . Disassemblers . . . . . . . . . . EIP = 41414141 . . . . . . . . . . Final Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34 4 4 5 5 5 6 6 6 7 7 8

1 .3 1 .4 1 .5 1 .6

CHApter 2: BACk to tHe 90s2 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Generate a List of the Demuxers of VLC . . . . . . . . . . Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Find a Sample TiVo Movie File . . . . . . . . . . . . . . . . Step 2: Find a Code Path to Reach the Vulnerable Code . . . . Step 3: Manipulate the TiVo Movie File to Crash VLC . . . . . . Step 4: Manipulate the TiVo Movie File to Gain Control of EIP Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

910 10 11 11 12 13 13 16 17 18 22 22

2 .2

2 .3 2 .4 2 .5

CHApter 3: esCApe from tHe www Zone3 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: List the IOCTLs of the Kernel . . . . . . . . . . . . . . . . . . . . . . . Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Trigger the NULL Pointer Dereference for a Denial of Service . Step 2: Use the Zero Page to Get Control over EIP/RIP . . . . . . . . . . Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .