Bug Hunters Diary

Download Bug Hunters Diary

Post on 22-Dec-2015

19 views

Category:

Documents

2 download

Embed Size (px)

DESCRIPTION

Bsqueda de bugs en el cdigo. Excelente gua para programadores que buscan la excelencia y seguridad en todas las lneas de cdigo.

TRANSCRIPT

<ul><li><p>$39.95 ($41.95 CDN) Shelve In: Computers/Security</p><p>TH E F I N EST I N G E E K E NTE RTA I N M E NTwww.nostarch.com</p><p> I LAY FLAT. This book uses RepKover a durable binding that wont snap shut.</p><p>Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime. Felix FX Lindner</p><p>Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system. </p><p>A Bug Hunters Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the worlds most popular software, like Apples iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, youll see how the developers responsible for these flaws patched the bugs or failed to respond to them at all.</p><p>Along the way youll learn how to:</p><p>* Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering</p><p>* Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws</p><p>* Develop proof-of-concept code that verifies the security flaw</p><p>* Report bugs to vendors or third-party brokers</p><p>A Bug Hunters Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether youre hunting bugs for fun, for profit, or to make the world a safer place, youll learn valuable new skills by looking over the shoulder of a professional bug hunter in action. </p><p>AbOUT ThE AUThORTobias Klein is a security researcher and founder of NESO Security Labs, an information security consulting and research company. he is the author of two information security books published in the German language by dpunkt.verlag.</p></li><li><p>A Bug Hunters Diary</p></li><li><p>San Francisco</p></li><li><p>A Bug Hunters DiAry. Copyright 2011 by Tobias Klein.</p><p>All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.</p><p>15 14 13 12 11 1 2 3 4 5 6 7 8 9</p><p>ISBN-10: 1-59327-385-1ISBN-13: 978-1-59327-385-9</p><p>Publisher: William PollockProduction Editor: Alison LawCover Illustration: Hugh DAndradeDevelopmental Editor: Sondra SilverhawkTechnical Reviewer: Dan RosenbergCopyeditor: Paula L. FlemingCompositor: Riley HoffmanProofreader: Ward Webber</p><p>For information on book distributors or translations, please contact No Starch Press, Inc. directly:</p><p>No Starch Press, Inc.38 Ringold Street, San Francisco, CA 94103phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com</p><p>Library of Congress Cataloging-in-Publication Data:</p><p>Klein, Tobias. [Aus dem Tagebuch eines Bughunters. English] A bug hunter's diary : a guided tour through the wilds of software security / by Tobias Klein. p. cm. ISBN-13: 978-1-59327-385-9 ISBN-10: 1-59327-385-1 1. Debugging in computer science. 2. Computer security. 3. Malware (Computer software) I. Title. QA76.9.D43K5813 2011 005.8--dc23 2011033629</p><p>No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.</p><p>The information in this book is distributed on an As Is basis, without warranty. While every precau-tion has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.</p></li><li><p>Brief Contents</p><p>Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi</p><p>Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1</p><p>Chapter 1: Bug Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3</p><p>Chapter 2: Back to the 90s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9</p><p>Chapter 3: Escape from the WWW Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25</p><p>Chapter 4: NULL Pointer FTW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51</p><p>Chapter 5: Browse and Youre Owned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71</p><p>Chapter 6: One Kernel to Rule Them All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87</p><p>Chapter 7: A Bug Older Than 4 .4BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113</p><p>Chapter 8: The Ringtone Massacre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133</p><p>Appendix A: Hints for Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149</p><p>Appendix B: Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163</p><p>Appendix C: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179</p><p>Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191</p></li><li><p>Contents in DetAil</p><p>ACknowleDgments xi</p><p>introDuCtion 1The Goals of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Who Should Read the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2</p><p>CHApter 1: Bug Hunting 31 .1 For Fun and Profit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 .2 Common Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4</p><p>My Preferred Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Potentially Vulnerable Code Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5</p><p>1 .3 Memory Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 .4 Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6</p><p>Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Disassemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7</p><p>1 .5 EIP = 41414141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 .6 Final Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8</p><p>CHApter 2: BACk to tHe 90s 92 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10</p><p>Step 1: Generate a List of the Demuxers of VLC . . . . . . . . . . . . . . . . . . . . . . 10Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11</p><p>2 .2 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Step 1: Find a Sample TiVo Movie File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Step 2: Find a Code Path to Reach the Vulnerable Code . . . . . . . . . . . . . . . . 13Step 3: Manipulate the TiVo Movie File to Crash VLC . . . . . . . . . . . . . . . . . . 16Step 4: Manipulate the TiVo Movie File to Gain Control of EIP . . . . . . . . . . . . 17</p><p>2 .3 Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 .4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 .5 Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22</p></li><li><p>viii Contents in Detail</p><p>CHApter 3: esCApe from tHe www Zone 253 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25</p><p>Step 1: List the IOCTLs of the Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28</p><p>3 .2 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Step 1: Trigger the NULL Pointer Dereference for a Denial of Service . . . . . . . . 35Step 2: Use the Zero Page to Get Control over EIP/RIP . . . . . . . . . . . . . . . . . 39</p><p>3 .3 Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 .4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 .5 Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49</p><p>CHApter 4: null pointer ftw 514 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52</p><p>Step 1: List the Demuxers of FFmpeg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Step 2: Identify the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Step 3: Trace the Input Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53</p><p>4 .2 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Step 1: Find a Sample 4X Movie File with a Valid strk Chunk . . . . . . . . . . . . . 57Step 2: Learn About the Layout of the strk Chunk . . . . . . . . . . . . . . . . . . . . . . 57Step 3: Manipulate the strk Chunk to Crash FFmpeg . . . . . . . . . . . . . . . . . . . 58Step 4: Manipulate the strk Chunk to Gain Control over EIP . . . . . . . . . . . . . . 61</p><p>4 .3 Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 .4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 .5 Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69</p><p>CHApter 5: Browse AnD youre owneD 715 .1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71</p><p>Step 1: List the Registered WebEx Objects and Exported Methods . . . . . . . . . 72Step 2: Test the Exported Methods in the Browser . . . . . . . . . . . . . . . . . . . . . 74Step 3: Find the Object Methods in the Binary . . . . . . . . . . . . . . . . . . . . . . . 76Step 4: Find the User-Controlled Input Values . . . . . . . . . . . . . . . . . . . . . . . . 78Step 5: Reverse Engineer the Object Methods . . . . . . . . . . . . . . . . . . . . . . . . 79</p><p>5 .2 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 .3 Vulnerability Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 .4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 .5 Addendum . . . . . . . . . . . . . . . ....</p></li></ul>