1. 1
Entomology
101
L o u i s N y f f e n e g g e r
L o u i s @ p e n t e s t e r l a b . c o m
@ s n y f f / @ P e n t e s t e r L a b
A n i n t r o d u c t i o n t o
s t u d y i n g , c o l l e c t i n g a n d
f i n d i n g b u g s . . .
2. 2
My job is to find, collect and study
bugs to teach people how they can
find, fix and exploit bugs.
3. 3
If you are like me, you are more
likely to find bugs by learning
existing patterns and derive from
them than by trying to discover a
completely new bug class.
4. 4
Collecting bugs
Follow (security) mailing lists from known big projects:
• Apache (announce@apache.org)
• Ruby-on-Rails (rubyonrails-security@googlegroups.com)
• ...
Mailing lists
Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters:
• Twitter account: https://twitter.com/disclosedh1
• Bugcrowd: inurl:https://bugcrowd.com/disclosures
• H1 Hacktivity https://hackerone.com/hacktivity
• Bug bounty write-ups from bug bounty hunters
Bug bounty disclosures
6. 6
Collecting bugs
Follow security researchers and bounty hunters:
• Too many to list
• Too risky to list and forget someone
• Try to find people who share information on bugs
• Try to find people with a high signal/noise ratio
Twitter
• Conferences and local meetups
• Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list
• Blogs (RSS)
• Reddit /r/netsec
• CTF
• ...
Other sources
7. 7
Studying bugs
1.Find the vulnerable version and the fixed version
2.Extract a diff to see the changes (literally a few clicks on GitHub)
3.Profit:
• You now know what the vulnerable code looks like
• You now know what the bug precisely is
• You have an idea on the exploitability of the issue
• You know how to properly (hopefully) fix this type of issues
• You learn a little bit about the codebase
Check the source code
9. 9
Studying bugs
• It allows you to learn how to deploy software
• Sometime it is just one command (thanks to docker/docker hub)
• Study someone's exploit
• Build your own exploit
• Exploit the issue
• Find more bugs in the same test environment
Build a test environment
10. 10
Studying bugs
• Try to find the same pattern in the same project
• Try to find the same pattern in other project
• Try to see what this pattern looks like in other languages/framework
Extrapolate
• Keep notes on the bug and source code
• Keep the exploit (and tools to run it)
• Maybe share this in a blog post
Document your findings
11. 11
Studying bugs
• Do a write-up/blog post
• Do a talk at work/school/local meetup
• Tweet about something people may not know/have realised
Share
12. 12
Hunting for bugs
• Bug Bounty programs (limited access to source code)
• GitHub trending (https://github.com/trending)
• DigitalOcean Marketplace (https://marketplace.digitalocean.com/)
• HackerNews
• ...
Finding your targets
• Build a test environment (with enhanced debugging if possible)
• Get familiar with the source code (if available)
• Pick few of the weird patterns for the language/framework used (based on your collecting)
• Spend hours in front of a computers
• Learn by actually searching for bugs!
• Remember your goal is not to find bugs, it is to learn how to find bugs!
Getting started
13. This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
13
Hunting for bugs
Going deeper
14. 14
Hunting for bugs
Going deeper
With a constant
30% drop rate
70%
49%
34%
24%
16%
11%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
15. With a constant
50% drop rate
50%
25%
13%
6%
3%
1.5%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
15
Hunting for bugs
Going deeper
16. Optimizing based
on your bug
collection
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
16
Hunting for bugs
Learn from your bug collection
17. This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
17
Hunting for bugs
Impact on teams
Impact of automation
18. 18
Quality bugs
• Weirdness
• Complexity of the exploitation
• No one found it before
• A somehow new pattern
• High visibility
What makes a bug great?
19. 19
What do with your bugs?
• It feels good
• It can be long and tedious
• It can be a good way to gain exposure when looking for a job
Responsible/Coordinated disclosure
• Selling
• Reporting via one or multiple Bug Bounty programs
• Sending a patch
• Bug hoarding
Other ways
20. 20
Some of my favourite bugs
CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
21. 21
CVE-2012-2661
• Rails is supposed to prevent SQL injection by design
• No public exploit available
• First to release details on how to exploit it
• Free ISO and course on how to exploit it on PentesterLab.com
SQL Injection in Ruby-on-Rails
• Rails has caching on the injectable part
• Each query needs to be unique
• Completely blind
Exploitation
22. 22
CVE-2012-6081
• Used to hack Python and Debian's wiki
• Brillant exploitation
• Free ISO and course on how to exploit it on PentesterLab.com
RCE in MoinMoin wiki
• Directory traversal in upload (only in the filename's extension)
• The payload can't contain any dots
• File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink)
• Payload needs to be a valid MoinMoin plugin (Python)
Exploitation
drawing.z if()else()
import os
def execute(p, r):
exec"print>>r,os56popen(r56values['c'])56read()"
23. 23
CVE-2014-1266
• TLS verification bypass
• Public Key pinning bypass
• Targets a cipher that provides forward secrecy
Apple goto fail;
• Set up a malicious server with the legitimate certificate and any private key
• Force the cipher to the vulnerable one
• Get the victim to visit your site
Exploitation
24. 24
Let’s get started!
Try to pick one bug per month and study it (code diff/test lab/exploit).
I am convinced you will learn a tremendous amount about software
security
25. And then you can do a talk at Ruxmon on this bug!