A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
Format: PDF / Kindle (mobi) / ePub
"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional
"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner
Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.
A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.
Along the way you'll learn how to:
- Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering
- Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws
- Develop proof of concept code that verifies the security flaw
- Report bugs to vendors or third party brokers
A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.
Security settings of the device in WinObj, I right-clicked the device name, chose Properties from the option list, and then chose the Security tab. The device object allows every system user (Everyone group) to read from or to write to the device (see Figure 6-3). This means that every user of the system is allowed to send data to the IOCTLs implemented by the driver, which is great — this makes this driver a valuable target! Step 4: List the IOCTLs A Windows user space application must.
Sample target file. On a Linux host: Serves these test cases via a web server. On the iPhone: Opens the test cases in MobileSafari. On the iPhone: Monitors mediaserverd for faults. On the iPhone: In the event a fault is uncovered, logs the findings. Repeats these steps. I created the following simple, mutation-based file fuzzer to prepare the test cases on a Linux host: Example 8-1. The code I wrote to prepare test cases on the Linux host (fuzz.c) 01 #include
Size of the data that gets copied into mst_buf. This leads to a straight stack buffer overflow (see Section A.1) that can be easily exploited. Here is the anatomy of the bug, as illustrated in Figure 2-2: 32 bytes of user-controlled TiVo media file data are copied into the stack buffer mst_buf. The destination buffer has a size of 32 bytes. 4 bytes of user-controlled data are extracted from the buffer and stored in i_map_size. User-controlled TiVo media-file data is copied into mst_buf once.
Reference” at http://developer.apple.com/library/ios/#documentation/MusicAudio/Reference/CAAudioTooboxRef/_index.html.  See http://en.wikipedia.org/wiki/Advanced_Audio_Coding.  See http://ericasadun.com/ftp/EricaUtilities/.  The QuickTime File Format Specification is available at http://developer.apple.com/mac/library/documentation/QuickTime/QTFF/QTFFPreface/qtffPreface.html.  My security advisory that describes the details of the iPhone vulnerability can be found at.
41414141, A.1 Stack Buffer Overflows Interactive Disassembler Professional (IDA Pro), Debuggers, Step 4: Find the User-Controlled Input Values, 6.1 Vulnerability Discovery, Detecting Exploit Mitigation Techniques Internet Explorer, Browse and You’re Owned IoCreateDevice(), 6.1 Vulnerability Discovery IOCTL (input/output controls), 3.1 Vulnerability Discovery, 6.1 Vulnerability Discovery, A Bug Older Than 4.4BSD ioctl(), Step 2: Identify the Input Data iPhone, The Ringtone.