bug hunters diary

Download Bug Hunters Diary

Post on 22-Dec-2015

24 views

Category:

Documents

2 download

Embed Size (px)

DESCRIPTION

Búsqueda de bugs en el código. Excelente guía para programadores que buscan la excelencia y seguridad en todas las líneas de código.

TRANSCRIPT

  • $39.95 ($41.95 CDN) Shelve In: Computers/Security

    TH E F I N EST I N G E E K E NTE RTA I N M E NTwww.nostarch.com

    I LAY FLAT. This book uses RepKover a durable binding that wont snap shut.

    Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime. Felix FX Lindner

    Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.

    A Bug Hunters Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the worlds most popular software, like Apples iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, youll see how the developers responsible for these flaws patched the bugs or failed to respond to them at all.

    Along the way youll learn how to:

    * Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering

    * Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws

    * Develop proof-of-concept code that verifies the security flaw

    * Report bugs to vendors or third-party brokers

    A Bug Hunters Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether youre hunting bugs for fun, for profit, or to make the world a safer place, youll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.

    AbOUT ThE AUThORTobias Klein is a security researcher and founder of NESO Security Labs, an information security consulting and research company. he is the author of two information security books published in the German language by dpunkt.verlag.

  • A Bug Hunters Diary

  • San Francisco

  • A Bug Hunters DiAry. Copyright 2011 by Tobias Klein.

    All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

    15 14 13 12 11 1 2 3 4 5 6 7 8 9

    ISBN-10: 1-59327-385-1ISBN-13: 978-1-59327-385-9

    Publisher: William PollockProduction Editor: Alison LawCover Illustration: Hugh DAndradeDevelopmental Editor: Sondra SilverhawkTechnical Reviewer: Dan RosenbergCopyeditor: Paula L. FlemingCompositor: Riley HoffmanProofreader: Ward Webber

    For information on book distributors or translations, please contact No Starch Press, Inc. directly:

    No Starch Press, Inc.38 Ringold Street, San Francisco, CA 94103phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com

    Library of Congress Cataloging-in-Publication Data:

    Klein, Tobias. [Aus dem Tagebuch eines Bughunters. English] A bug hunter's diary : a guided tour through the wilds of software security / by Tobias Klein. p. cm. ISBN-13: 978-1-59327-385-9 ISBN-10: 1-59327-385-1 1. Debugging in computer science. 2. Computer security. 3. Malware (Computer software) I. Title. QA76.9.D43K5813 2011 005.8--dc23 2011033629

    No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

    The information in this book is distributed on an As Is basis, without warranty. While every precau-tion has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

  • Brief Contents

    Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

    Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    Chapter 1: Bug Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    Chapter 2: Back to the 90s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Chapter 3: Escape from the WWW Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    Chapter 4: NULL Pointer FTW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

    Chapter 5: Browse and Youre Owned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

    Chapter 6: One Kernel to Rule Them All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

    Chapter 7: A Bug Older Than 4 .4BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

    Chapter 8: The Ringtone Massacre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

    Appendix A: Hints for Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

    Appendix B: Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

    Appendix C: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

    Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

  • Contents in DetAil

    ACknowleDgments xi

    introDuCtion 1The Goals of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Who Should Read the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    CHApter 1: Bug Hunting 31 .1 For Fun and Profit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 .2 Common Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    My Preferred Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Potentially Vulnerable Code Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    1 .3 Memory Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 .4 Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Disassemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    1 .5 EIP = 41414141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 .6 Final Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    CHApter 2: BACk to tHe 90s 92 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

    Step 1: Generate a List of the Demuxers of VLC . . . . . . . . . . . . . . . . . . . . . . 10Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    2 .2 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Step 1: Find a Sampl