Bug Hunter Diary

Recommendations

Info

libavformat 52.23. 1 / 52.23. 1libavdevice 52. 1. 0 / 52. 1. 0built on Jan 24 2009 09:07:58, gcc: 4.3.3Program received signal SIGSEGV, Segmentation fault.0x0809c89d in fourxm_read_header (s=0xa836330, ap=0xbfb19674) atlibavformat/4xm.c:178178 fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]);FFmpeg crashed again while trying to parse the malformed mediafile. To see what exactly caused the crash, I asked the debugger to displaythe current register values as well as the last instruction executedby FFmpeg:(gdb) info registerseax 0xbbbbbbbb -1145324613ecx 0xa83f3e0 176419808edx 0x0 0ebx 0x806ab330 -2140490960esp 0xbfb194f0 0xbfb194f0ebp 0x855ffc0 0x855ffc0esi 0xa83f3a0 176419744edi 0xa83f330 176419632eip 0x809c89d 0x809c89d eflags 0x10206 [ PF IF RF ]cs 0x73 115ss 0x7b 123ds 0x7b 123es 0x7b 123fs 0x0 0gs 0x33 51(gdb) x/1i $eip0x809c89d : mov DWORD PTR [edx+ebp*1+0x10],eaxI also displayed the address where FFmpeg had attempted to storethe value of EAX:(gdb) x/1x $edx+$ebp+0x100x855ffd0 :0xb7dd4d40As expected, FFmpeg tried to write the value of EAX to the suppliedaddress (0x855ffd0) of memalign()’s GOT entry.(gdb) shell cat /proc/$(pidof ffmpeg_g)/maps08048000-0855f000 r-xp 00000000 08:01 101582 /home/tk/BHD/ffmpeg_relro/ffmpeg_g0855f000-08560000 r--p 00516000 08:01 101582 /home/tk/BHD/ffmpeg_relro/ffmpeg_g08560000-0856c000 rw-p 00517000 08:01 101582 /home/tk/BHD/ffmpeg_relro/ffmpeg_g0856c000-0888c000 rw-p 0856c000 00:00 00a834000-0a855000 rw-p 0a834000 00:00 0[heap]b7d60000-b7d61000 rw-p b7d60000 00:00 0b7d61000-b7ebd000 r-xp 00000000 08:01 148202 /lib/tls/i686/cmov/libc-2.9.sob7ebd000-b7ebe000 ---p 0015c000 08:01 148202 /lib/tls/i686/cmov/libc-2.9.so68 Chapter 4
7ebe000-b7ec0000 r--p 0015c000 08:01 148202b7ec0000-b7ec1000 rw-p 0015e000 08:01 148202b7ec1000-b7ec5000 rw-p b7ec1000 00:00 0b7ec5000-b7ec7000 r-xp 00000000 08:01 148208b7ec7000-b7ec8000 r--p 00001000 08:01 148208b7ec8000-b7ec9000 rw-p 00002000 08:01 148208b7ec9000-b7eed000 r-xp 00000000 08:01 148210b7eed000-b7eee000 r--p 00023000 08:01 148210b7eee000-b7eef000 rw-p 00024000 08:01 148210b7efc000-b7efe000 rw-p b7efc000 00:00 0b7efe000-b7eff000 r-xp b7efe000 00:00 0b7eff000-b7f1b000 r-xp 00000000 08:01 130839b7f1b000-b7f1c000 r--p 0001b000 08:01 130839b7f1c000-b7f1d000 rw-p 0001c000 08:01 130839bfb07000-bfb1c000 rw-p bffeb000 00:00 0/lib/tls/i686/cmov/libc-2.9.so/lib/tls/i686/cmov/libc-2.9.so/lib/tls/i686/cmov/libdl-2.9.so/lib/tls/i686/cmov/libdl-2.9.so/lib/tls/i686/cmov/libdl-2.9.so/lib/tls/i686/cmov/libm-2.9.so/lib/tls/i686/cmov/libm-2.9.so/lib/tls/i686/cmov/libm-2.9.so[vdso]/lib/ld-2.9.so/lib/ld-2.9.so/lib/ld-2.9.so[stack]This time FFmpeg crashed with a segmentation fault while tryingto overwrite the read-only GOT entry (see the r--p permissions of theGOT at 0855f000-08560000). It seems that Full RELRO can indeed successfullymitigate GOT overwrites.4.4 Lessons LearnedAs a programmer:• Don’t mix different data types.• Learn about the hidden transformations done automatically bythe compiler. These implicit conversions are subtle and cause alot of security bugs 7 (also see Section A.3).• Get a solid grasp of C’s type conversions.• Not all NULL pointer dereferences in user space are simpledenial-of-service conditions. Some of them are really bad vulnerabilitiesthat can lead to arbitrary code execution.• Full RELRO helps to mitigate the GOT overwrite exploitationtechnique.As a user of media players:• Never trust media file extensions (see Section 2.5).4.5 AddendumWednesday, January 28, 2009The vulnerability was fixed (Figure 4-9 shows the timeline) and a newversion of FFmpeg is available, so I released a detailed security advisoryon my website. 8 The bug was assigned CVE-2009-0385.NULL Pointer FTW 69
Page 6 and 7:
A Bug Hunter’s Diary. Copyright
Page 10 and 11:
Chapter 3: Escape from the WWW Zone
Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
Page 15 and 16:
IntroductionWelcome to A Bug Hunter
Page 17 and 18:
1Bug HuntingBug hunting is the proc
Page 19 and 20:
After I’ve found a bug, I want to
Page 21 and 22:
Table 1-1: Debuggers Used in This B
Page 23:
2Back to the ’90sSunday, October
Page 26 and 27:
16361637 /* clear the SEQ table */1
Page 28 and 29:
If a TiVo file is loaded by VLC, th
Page 30 and 31:
Get the →vulnerableWindows versio
Page 32 and 33: EIP = 41414141 . . . Mission EIP co
Page 34 and 35: NoteTo configure Process Explorer t
Page 36 and 37: See the following excerpt from the
Page 38 and 39: 3. Immunity Debugger is a great Win
Page 40 and 41: NoteInput/output controls (IOCTLs)
Page 42 and 43: msgbb_datapdatabb_rptrdb_basedatabu
Page 44 and 45: 8180 /*8181 * Null terminate the st
Page 46 and 47: 26736 /*26737 * SIOC[GS]TUNPARAM ap
Page 48 and 49: 19165 * are also rejected as they i
Page 50 and 51: 01 #include 02 #include 03 #include
Page 52 and 53: fffffe8000f7e4b0 unix:die+da ()ffff
Page 54 and 55: zero pagenot mappedzero pageis mapp
Page 56 and 57: gaining full control over EIP/RIP a
Page 58 and 59: 112 return 1;113 }114115 printf ("O
Page 60 and 61: solaris$ isainfo -b64I then compile
Page 62 and 63: ip_output+0x10()ip_wput+0x37()putne
Page 64 and 65: Notes1. The source code of OpenSola
Page 66 and 67: 4.1 Vulnerability DiscoveryTo find
Page 68 and 69: 167 if (current_track + 1 > fourxm-
Page 71 and 72: Step 1: Find a Sample 4X Movie File
Page 73 and 74: Next, I modified the values of trac
Page 75 and 76: Table 4-2: List of the Assembler In
Page 77 and 78: 63 #elif defined (HAVE_MEMALIGN)64
Page 79 and 80: linux$ gdb -q ./ffmpeg_g(gdb) run -
Page 81: (UINT_MAX / sizeof(AudioTrack) - 1)
Page 85 and 86: 5Browse and You’re OwnedSunday, A
Page 87 and 88: {SWI.ClassId_q.ClassId clsid = new
Page 89 and 90: 27 except KeyboardInterrupt:28 prin
Page 91 and 92: Figure 5-4: Defining a breakpoint a
Page 93 and 94: Figure 5-7: User-controlled argumen
Page 95 and 96: Next, I tried to retrieve the size
Page 97 and 98: 05 06 arg = String(232, "A") + Stri
Page 99: iDefense VCPnotifiedVulnerability d
Page 102 and 103: 6.1 Vulnerability DiscoveryI used t
Page 104 and 105: Step 3: Check the Device Security S
Page 106 and 107: Below, the elements of the MajorFun
Page 108 and 109: At address .text:00010748, a pointe
Page 110 and 111: [..][..]//// Current stack location
Page 112 and 113: The transfer type is specified usin
Page 114 and 115: If the requested IOCTL code matches
Page 116 and 117: Figure 6-5: Graph view of the vulne
Page 118 and 119: .text:00010DBA push 1 ; _DWORD.text
Page 120 and 121: 99 // .text:00010DEF cmp dword ptr
Page 122 and 123: nt!RtlpBreakWithStatusInstruction:8
Page 124 and 125: After I gained control over EIP, I
Page 127 and 128: 7A Bug Older Than 4.4BSDSaturday, M
Page 129 and 130: Here are some examples:Source code
Page 131 and 132: 1094 return (ENXIO);1095 if (t != t
Page 133 and 134:
4. The assumed address of l_open()
Page 135 and 136:
osx$ cat /Library/Logs/panic.logSat
Page 137 and 138:
Back on the Linux host, I started t
Page 139 and 140:
0x35574c, the value is used to calc
Page 141 and 142:
48 define search_memloc49 set $max_
Page 143 and 144:
As the debugger output shows, the E
Page 145:
ApplenotifiedApple asks formore det
Page 148 and 149:
I performed the following steps whe
Page 150 and 151:
I then began fuzzing files of the A
Page 152 and 153:
Figure 8-1: Playing the unmodifiedA
Page 154 and 155:
• Line 40 copies the current proc
Page 156 and 157:
As the debugger output shows, media
Page 158 and 159:
The manipulated byte (0xff) that ca
Page 160 and 161:
(gdb) x/12x 0x1301bfc0x1301bfc: 0x0
Page 162 and 163:
ApplenotifiedApple confirmsthe vuln
Page 164 and 165:
Every function of a process that is
Page 166 and 167:
eip 0x43434343 0x43434343eflags 0x1
Page 168 and 169:
The access violation is caused when
Page 170 and 171:
is less than 12. If it is, the stri
Page 172 and 173:
The program in Listing A-4 calls th
Page 174 and 175:
0x080483f3 : mov DWORD PTR [esp+0x4
Page 177 and 178:
BDebuggingThis appendix contains in
Page 179 and 180:
Information CommandsCommandDescript
Page 181 and 182:
Information CommandsCommandrkbu add
Page 183 and 184:
Figure B-3: Configuration settings
Page 185 and 186:
Figure B-6: Attaching the kernel de
Page 187 and 188:
Other CommandsCommandset disassembl
Page 189 and 190:
linux# pwd/home/tk/gdb-292/srclinux
Page 191:
Notes1. See the Solaris Modular Deb
Page 194 and 195:
The many mitigation techniques coul
Page 196 and 197:
Figure C-1: DEP and ASLR status sho
Page 198 and 199:
08 p[0] = 0x41414141;09 printf (“
Page 200 and 201:
ConclusionIn case of a buffer overf
Page 202 and 203:
zonecfg:wwwzone> set autoboot=truez
Page 204 and 205:
Notes1. See Rob King, “New Leopar
Page 206 and 207:
COMRaider, 72coordinated disclosure
Page 208 and 209:
Rreadelf, 161RELRO, 67-69, 183-186r
Page 210:
A Bug Hunter’s Diary is set in Ne
show all

Bug Hunter Diary

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?