A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

Tobias Klein

Language: English

Pages: 208

ISBN: 1593273851

Format: PDF / Kindle (mobi) / ePub

"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional

"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner

Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.

A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.

Along the way you'll learn how to:

  • Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering
  • Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws
  • Develop proof of concept code that verifies the security flaw
  • Report bugs to vendors or third party brokers

A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.

On a Method of Multiprogramming (Monographs in Computer Science)

Juniper SRX Series

Linear Programming and Algorithms for Communication Networks: A Practical Guide to Network Design, Control, and Management

Production Volume Rendering: Design and Implementation

Distributed Algorithms: An Intuitive Approach
















signal SIGSEGV, Segmentation fault. 0x0809c89d in fourxm_read_header (s=0xa836330, ap=0xbfb19674) at libavformat/4xm.c:178 178 fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); FFmpeg crashed again while trying to parse the malformed media file. To see what exactly caused the crash, I asked the debugger to display the current register values as well as the last instruction executed by FFmpeg: (gdb) info registers eax 0xbbbbbbbb −1145324613 ecx 0xa83f3e0 176419808 edx 0x0 0 ebx

security advisory on my website today.[74] The bug was assigned CVE-2008-1625. Figure 6-9 shows the timeline of the vulnerability fix. Figure 6-9. Timeline from vendor notification to the release of my security advisory Notes [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69] [70] [71] [72] [73] [74] [57] See SANS Top 20 Internet Security Problems, Threats and Risks (2007 Annual Update), http://www.sans.org/top20/2007/. [58] See

book’s website.[78] 7.3 Vulnerability Remediation Note Wednesday, November 14, 2007 After I informed Apple about the bug, Apple fixed it by adding an extra check for the user-supplied IOCTL data. Source code file xnu-792.24.17/bsd/kern/tty.c[79] [..] 1081 case TIOCSETD: { /* set line discipline */ 1082 register int t = *(int *)data; 1083 dev_t device = tp->t_dev; 1084 1085 if (t >= nlinesw || t < 0) 1086 return (ENXIO); 1087 if (t != tp->t_line) { 1088 s = spltty(); 1089

Vulnerabilities (Addison-Wesley, 2007). Figure A-4. Integer type conversion: unsigned int to signed int Note I used Debian Linux 6.0 (32-bit) as a platform for all the following steps. A.4 GOT Overwrites Once you have found a memory corruption vulnerability, you can use a variety of techniques to gain control over the instruction pointer register of the vulnerable process. One of these techniques, called GOT overwrite, works by manipulating an entry in the so-called Global

Example: Stack Buffer Overflow Under Windows, C.1 Exploit Mitigation Techniques SFP (saved frame pointer), A.1 Stack Buffer Overflows sign bit, A.3 Type Conversions in C sign-extension vulnerabilities, Potentially Vulnerable Code Locations SiteLock, 5.4 Lessons Learned Solaris, Escape from the WWW Zone kernel, Escape from the WWW Zone mdb, debugger for, Debuggers Solaris Zones, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, C.3 Solaris Zones

Download sample