Bug Hunter Diary

Recommendations

Info

The manipulated byte (0xff) that caused the crash can be foundat file offset 40 (0x28). I consulted the QuickTime File Format Specification7 to determine the role of that byte within the file structure. Thebyte was described as part of the atom size of a movie header atom, sothe fuzzer must have changed the size value of that atom. As I mentionedbefore, the size supplied to memcpy() was too big, so mediaserverdhad crashed while trying to copy too much data onto the stack. Toavoid the crash, I set the atom size to a smaller value. I changed themanipulated value at file offset 40 back to 0x00 and the byte value atoffset 42 to 0x02. I named the new file file40_2.m4a.Here is the original test-case file 40 (file40.m4a):00000020h: 00 00 1C 65 6D 6F 6F 76 FF 00 00 6C 6D 76 68 64 ; ...emoovÿ..lmvhdAnd here is the new test-case file (file40_2.m4a) with changesunderlined:00000020h: 00 00 1C 65 6D 6F 6F 76 00 00 02 6C 6D 76 68 64 ; ...emoovÿ..lmvhdI rebooted the device to get a clean environment, attachedthe debugger to mediaserverd again, and opened the new file inMobileSafari.Program received signal EXC_BAD_ACCESS, Could not access memory.Reason: KERN_PROTECTION_FAILURE at address: 0x00000072[Switching to process 27 thread 0xa10b]0x00000072 in ?? ()This time the program counter (instruction pointer) was manipulatedto point to address 0x00000072. I then stopped the debuggingsession and started a new one while again setting a breakpoint at thememcpy() call in MP4AudioStream::ParseHeader():(gdb) break *0x3493d5dcBreakpoint 1 at 0x3493d5dc(gdb) continueContinuing.When I opened the modified test-case file file40_2.m4a in Mobile-Safari, I got the following output in the debugger:[Switching to process 71 thread 0x9f07]Breakpoint 1, 0x3493d5dc in MP4AudioStream::ParseHeader ()144 Chapter 8
I printed the current call stack:(gdb) backtrace#0 0x3493d5dc in MP4AudioStream::ParseHeader ()#1 0x3490d748 in AudioFileStreamWrapper::ParseBytes ()#2 0x3490cfa8 in AudioFileStreamParseBytes ()#3 0x345dad70 in PushBytesThroughParser ()#4 0x345dbd3c in FigAudioFileStreamFormatReaderCreateFromStream ()#5 0x345dff08 in instantiateFormatReader ()#6 0x345e02c4 in FigFormatReaderCreateForStream ()#7 0x345d293c in itemfig_assureBasicsReadyForInspectionInternal ()#8 0x345d945c in itemfig_makeReadyForInspectionThread ()#9 0x3146178c in _pthread_body ()#10 0x00000000 in ?? ()The first stack frame on the list was the one I was looking for. Iused the following command to display information about the currentstack frame of MP4AudioStream::ParseHeader():(gdb) info frame 0Stack frame at 0x1301c00:pc = 0x3493d5dc in MP4AudioStream::ParseHeader(AudioFileStreamContinuation&); savedpc 0x3490d748called by frame at 0x1301c30Arglist at 0x1301bf8, args:Locals at 0x1301bf8, Saved registers:r4 at 0x1301bec, r5 at 0x1301bf0, r6 at 0x1301bf4, r7 at 0x1301bf8, r8 at →0x1301be0, sl at 0x1301be4, fp at 0x1301be8, lr at 0x1301bfc, pc at 0x1301bfc,s16 at 0x1301ba0, s17 at 0x1301ba4, s18 at 0x1301ba8, s19 at 0x1301bac, s20 at →0x1301bb0, s21 at 0x1301bb4, s22 at 0x1301bb8, s23 at 0x1301bbc,s24 at 0x1301bc0, s25 at 0x1301bc4, s26 at 0x1301bc8, s27 at 0x1301bcc, s28 at →0x1301bd0, s29 at 0x1301bd4, s30 at 0x1301bd8, s31 at 0x1301bdc(gdb) continueContinuing.The most interesting information was the memory locationwhere the program counter (pc register) was stored on the stack. Asthe debugger output shows, pc was saved at address 0x1301bfc on thestack (see “Saved registers”).I then continued the execution of the process:Program received signal EXC_BAD_ACCESS, Could not access memory.Reason: KERN_PROTECTION_FAILURE at address: 0x000000720x00000072 in ?? ()After the crash, I looked at the stack location (memory address0x1301bfc) where the MP4AudioStream::ParseHeader() function expects tofind its saved program counter.The Ringtone Massacre 145
Page 6 and 7:
A Bug Hunter’s Diary. Copyright
Page 10 and 11:
Chapter 3: Escape from the WWW Zone
Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
Page 15 and 16:
IntroductionWelcome to A Bug Hunter
Page 17 and 18:
1Bug HuntingBug hunting is the proc
Page 19 and 20:
After I’ve found a bug, I want to
Page 21 and 22:
Table 1-1: Debuggers Used in This B
Page 23:
2Back to the ’90sSunday, October
Page 26 and 27:
16361637 /* clear the SEQ table */1
Page 28 and 29:
If a TiVo file is loaded by VLC, th
Page 30 and 31:
Get the →vulnerableWindows versio
Page 32 and 33:
EIP = 41414141 . . . Mission EIP co
Page 34 and 35:
NoteTo configure Process Explorer t
Page 36 and 37:
See the following excerpt from the
Page 38 and 39:
3. Immunity Debugger is a great Win
Page 40 and 41:
NoteInput/output controls (IOCTLs)
Page 42 and 43:
msgbb_datapdatabb_rptrdb_basedatabu
Page 44 and 45:
8180 /*8181 * Null terminate the st
Page 46 and 47:
26736 /*26737 * SIOC[GS]TUNPARAM ap
Page 48 and 49:
19165 * are also rejected as they i
Page 50 and 51:
01 #include 02 #include 03 #include
Page 52 and 53:
fffffe8000f7e4b0 unix:die+da ()ffff
Page 54 and 55:
zero pagenot mappedzero pageis mapp
Page 56 and 57:
gaining full control over EIP/RIP a
Page 58 and 59:
112 return 1;113 }114115 printf ("O
Page 60 and 61:
solaris$ isainfo -b64I then compile
Page 62 and 63:
ip_output+0x10()ip_wput+0x37()putne
Page 64 and 65:
Notes1. The source code of OpenSola
Page 66 and 67:
4.1 Vulnerability DiscoveryTo find
Page 68 and 69:
167 if (current_track + 1 > fourxm-
Page 71 and 72:
Step 1: Find a Sample 4X Movie File
Page 73 and 74:
Next, I modified the values of trac
Page 75 and 76:
Table 4-2: List of the Assembler In
Page 77 and 78:
63 #elif defined (HAVE_MEMALIGN)64
Page 79 and 80:
linux$ gdb -q ./ffmpeg_g(gdb) run -
Page 81 and 82:
(UINT_MAX / sizeof(AudioTrack) - 1)
Page 83 and 84:
7ebe000-b7ec0000 r--p 0015c000 08:0
Page 85 and 86:
5Browse and You’re OwnedSunday, A
Page 87 and 88:
{SWI.ClassId_q.ClassId clsid = new
Page 89 and 90:
27 except KeyboardInterrupt:28 prin
Page 91 and 92:
Figure 5-4: Defining a breakpoint a
Page 93 and 94:
Figure 5-7: User-controlled argumen
Page 95 and 96:
Next, I tried to retrieve the size
Page 97 and 98:
05 06 arg = String(232, "A") + Stri
Page 99:
iDefense VCPnotifiedVulnerability d
Page 102 and 103:
6.1 Vulnerability DiscoveryI used t
Page 104 and 105:
Step 3: Check the Device Security S
Page 106 and 107:
Below, the elements of the MajorFun
Page 108 and 109: At address .text:00010748, a pointe
Page 110 and 111: [..][..]//// Current stack location
Page 112 and 113: The transfer type is specified usin
Page 114 and 115: If the requested IOCTL code matches
Page 116 and 117: Figure 6-5: Graph view of the vulne
Page 118 and 119: .text:00010DBA push 1 ; _DWORD.text
Page 120 and 121: 99 // .text:00010DEF cmp dword ptr
Page 122 and 123: nt!RtlpBreakWithStatusInstruction:8
Page 124 and 125: After I gained control over EIP, I
Page 127 and 128: 7A Bug Older Than 4.4BSDSaturday, M
Page 129 and 130: Here are some examples:Source code
Page 131 and 132: 1094 return (ENXIO);1095 if (t != t
Page 133 and 134: 4. The assumed address of l_open()
Page 135 and 136: osx$ cat /Library/Logs/panic.logSat
Page 137 and 138: Back on the Linux host, I started t
Page 139 and 140: 0x35574c, the value is used to calc
Page 141 and 142: 48 define search_memloc49 set $max_
Page 143 and 144: As the debugger output shows, the E
Page 145: ApplenotifiedApple asks formore det
Page 148 and 149: I performed the following steps whe
Page 150 and 151: I then began fuzzing files of the A
Page 152 and 153: Figure 8-1: Playing the unmodifiedA
Page 154 and 155: • Line 40 copies the current proc
Page 156 and 157: As the debugger output shows, media
Page 160 and 161: (gdb) x/12x 0x1301bfc0x1301bfc: 0x0
Page 162 and 163: ApplenotifiedApple confirmsthe vuln
Page 164 and 165: Every function of a process that is
Page 166 and 167: eip 0x43434343 0x43434343eflags 0x1
Page 168 and 169: The access violation is caused when
Page 170 and 171: is less than 12. If it is, the stri
Page 172 and 173: The program in Listing A-4 calls th
Page 174 and 175: 0x080483f3 : mov DWORD PTR [esp+0x4
Page 177 and 178: BDebuggingThis appendix contains in
Page 179 and 180: Information CommandsCommandDescript
Page 181 and 182: Information CommandsCommandrkbu add
Page 183 and 184: Figure B-3: Configuration settings
Page 185 and 186: Figure B-6: Attaching the kernel de
Page 187 and 188: Other CommandsCommandset disassembl
Page 189 and 190: linux# pwd/home/tk/gdb-292/srclinux
Page 191: Notes1. See the Solaris Modular Deb
Page 194 and 195: The many mitigation techniques coul
Page 196 and 197: Figure C-1: DEP and ASLR status sho
Page 198 and 199: 08 p[0] = 0x41414141;09 printf (“
Page 200 and 201: ConclusionIn case of a buffer overf
Page 202 and 203: zonecfg:wwwzone> set autoboot=truez
Page 204 and 205: Notes1. See Rob King, “New Leopar
Page 206 and 207: COMRaider, 72coordinated disclosure
Page 208 and 209:
Rreadelf, 161RELRO, 67-69, 183-186r
Page 210:
A Bug Hunter’s Diary is set in Ne
show all

Bug Hunter Diary

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?