Book of the Month – A Bug Hunter’s Diary

Once upon a time there were bounty hunters running in the wild to nab those ‘Most Wanted’ criminals and walk away with big bucks. Now we have bug hunters running wild in their computer world not only to put their name on wall of fame but also to reap those rich rewards.

.

.
Here in this latest book “Bug Hunter’s Diary” we have similar story of another great and inspiring bug hunter, Tobias Klein.
.

.

Core information about the book

  • Title:A Bug Hunter’s Diary
  • Author: Tobias Klein
  • Publisher: No Starch Press
  • Pages: 208
  • Release Date: November 11, 2011
  • Rating(Amazon):

.

Table of contents

Chapter 1: Bug Hunting
Chapter 2: Back to the 90s
Chapter 3: Escape from the WWW Zone
Chapter 4: NULL Pointer FTW
Chapter 5: Browse and You’re Owned
Chapter 6: One Kernel to Rule Them All
Chapter 7: A Bug Older Than 4.4BSD
Chapter 8: The Ringtone Massacre
Appendix A: Hints for Hunting
Appendix B: Debugging
Appendix C: Mitigation of Exploitation

.

This book gives valuable insights on different techniques of bug hunting and exploiting them successfully. Each of the chapters in this book conforms to the each of the vulnerability discovered by author and written in his own words and style.

.

Give a man an exploit and you make him hacker for a day; teach him to exploit bugs and you make him hacker for lifetime
– Felix ‘FX’ Lindner [from back cover]

.

Before you proceed to reading, it is good idea to get some basic knowledge on driver concepts including its life cycle, IRP, IOCTL and debugging. As three of eight chapters here deal with driver bugs, this prep will help you to feel at home later on.
.

If you are new to vulnerability research, I suggest you to start with Appendix A which refreshes concept of stack overflow with practical example, NULL pointer dereferences, type conversion, GOT exploitation techniques which are essential to understand main chapters. Appendix B describes debugging tools along with commands for Solaris(mdb), Linux (gdb), Windows (windbg) and shows how to setup VMware for Kernel Debugging. Final Appendix talks about exploit mitigation techniques such as ASLR, GS, NX, DEP and finishes with detailed description on RELRO for ELF (Linux).
.

Though fuzzing is most common method used for bug hunting these days, author has used it only in final chapter and rest of the bugs were based on manual & his ingenious approach, that’s what separates men from boys.
.

In chap 2, author talks about the first victim, VLC media player. He starts with traversing the source code, listing all demuxers dealing with different video formats, traces through the input data and finally finds Stack Overflow bug in TiVo demuxer code. Then he goes onto show how he manipulated sample Tivo video file to successfully exploit it.
.

In chap 3, author switches to one of his exceptional exploitation of NULL pointer dereference vulnerability in a network driver of Solaris Kernel. With source code it may be easy to find this bug but successfull exploitation of this bug was just amazing where author mapped the Zero/NULL page and then passed the controlled attack vectors through IOCTL to gain the root. Notable thing here is that vendor took more than year to patch the bug and author has to just wait in vain but do nothing. In fact real bounty hunting stories are not as sweet as they are shown on the screen.

.

Next chapter deals with tricky Type Conversion vulnerability in FFmpeg multimedia library (Linux). This is popular library used by Google Chrome, VLC Media Player, MPlayer etc. Here he finds bug beautiful bug in one of the demuxer code, (4xm.c file) dealing with 4X movie format. Conversion from user-controlled unsigned int media file to signed int caused the serious issue which author was able to exploit successfully to trigger remote code execution. Another job well done.
.

In chap 5, author shows us another interesting vulnerability in Cisco’s WebEx ActiveX control for Internet Explorer [Windows]. Being researcher, he started with reversing this Activex control to find trivial string buffer overflow vulnerability. Then he realized that he could have done with by simply fuzzing. However it is interesting to see how author uses the tools like COMRaider, WinDbg, IDAPro in tandem to discover and exploit it.
.

Chap 6 talks about one of the stunning bug in kernel driver of Avast Antivirus software running in dark world of Windows. He starts with looking at Driver’s poor security settings that allowed anyone to send IOCTL. Then he gets into reversing IOCTL handler code in the driver using IDA and finally finds bug in one of memcpy() calls deep down the rabbit hole.  Admirable thing here is that Avast has fixed this kernel driver bug in just 10 days. Not all bounty hunting stories are as bad as depicted on the screen 😉

.

In chap 7, author turns to MAC, finding bug in XNU Kernel driver. He downloads the kernel code, traverses through IOCTL handlers and finally discovers another Type Conversion bug leading to blue screen. Then author goes through another challenging cycle of debugging through his cross wired Linux system to script a successful exploit to pwn his MAC.

.

Final chapter deals with interesting vulnerability in iPhone. Author finally uses his own custom fuzzer, simple yet smart, to discover bug audio ringtone processing code. Though iPhone flunked many times during fuzzing, he continued through the tedious process and discovers this as well as similar bugs in mediaserverd deamon. Next he gets into debugging his iPhone through GDB on Linux, finally stopping at successful exploitation. Bounty hunters does not seem to stop anywhere until they nail the man they are after!
.

Bug Hunting Advisory & Tracks

  • Be warned – Highly technical and Toxic, Keep a can of beer beside you 🙂
  • For better digestion, read one chapter at a time with clear and cool head
  • Deep exposure to vuln discovery and exploitation techniques on Windows, Linux, Solaris, Mac & iPhone
  • Detailed technical steps with screenshots and code snippets
  • No exploit code due to strict German laws but author has published videos
  • Author does not preach but shows you what amazing things one can do with right skills and great patience

.
When you finish this book, it will not be hard for you to acknowledge Tobias Klein as one of those rare, genius and versatile bug hunter. It takes a lot to master those traits, not just knowing about it but to get to the r00t, you can’t express it in words.

.

This in not just a book that will teach you the Art of Bug Hunting in most spectacular way but an great inspiration to all those wanna be Bug Hunters!

.

Disclaimer: I have received this book from the publisher for special review. However the review remains genuine and unbiased. And this is our last official book review.

.
Visit the Book: http://nostarch.com/bughunter.htm

Similar posts
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]
  • Advanced Malware Analysis Training Se...   Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 1) Reversing & Decrypting Communications of HeartBeat RAT This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting The [...]

Leave a Reply

Our Company

Follow us on Facebook


Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list