Entomology 101

1. 1 Entomology 101 L o u i s N y f f e n e g g e r   L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .

2. 2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.

3. 3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.

4. 4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures

5. 5 Collecting bugs Mailing lists

6. 6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources

7. 7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code

8. 8 Studying bugs Check the source code Check the source code

9. 9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment

10. 10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings

11. 11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share

12. 12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started

13. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper

14. 14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"

15. With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper

16. Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection

17. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation

18. 18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?

19. 19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways

20. 20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266

21. 21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation

22. 22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"

23. 23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation

24. 24 Let’s get started!   Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security

25. And then you can do a talk at Ruxmon on this bug!

26. 26 Thanks for your time! Any questions? @snyff @PentesterLab