Book Review: A Bug Hunter’s Diary
It has been asking my personal revision on the Tobias Klein‘s english version of “A Bug Hunter’s Diary” book. As the title suggests “A Bug Hunter’s Diary” is not a normal book, it’s not a manual or a guide to exploiting it’s a new way to interpret the bug hunting teaching process. It follows the “blog paradigm” where the author seems to talk to his personal diary, just for personal memories and not for relating or for writing a book. Each chapter begins with the “Dear Diary” sentence , the language is technical but simple, the text is essential: no additional adjectives or related stories to support to the main concepts. The writer style is very clear, everybody should be able to understand what Tobias is talking about, the text form follows a standard path, after a couple of chapters the reader enjoys it because he will known exactly where “he is” and where the text “is going to take him”.
The First chapter (Bug Hunting), is the weakest section of the book. It is a small chapter introducing the bug hunting process as well as some basic security concepts such as the necessary tools, well know hunting techniques, and best practices. Under my personal point of view this chapter should be much more elaborated then the current one by going deeper into the details giving to the reader much more background for better understand the following chapters.
The Second chapter (Back to the ’90s) shows the abilities of the writer in going straight into the core arguments with no unnecessary words or sentences. Every section is well written with the less possible words letting an avid reader going directly into the main aspect of the problem without being distracted from additional contexts. This chapter walks through the first vulnerability of the book: VLC TiVo demuxed stack overflow.
The Third chapter (Escape from the WWW Zone) explains the entire process to exploit the Sun Solaris IOCTL Kernel NULL pointer dereference. In my personal opinion, this chapter is the most valuable one since it describes with meticulous details (but always without unnecessary words or sections) a quite rare exploit. Sun solaris resources are pretty rare and difficult to be documented since the referenced platform is not well known as Microsoft or Linux are.
The Fourth chapter (NULL Pointer FTW) walks through the famous FFmpeg type conversion vulnerability. While the chapter and the vulnerability, under some aspects, could be compared to the first chapter, I believe that this is one of the most didactic chapters of the book. The writer shows a mature writing in describing his steps, in particular I am referring to the steps 2 and 3 where the author with extremely mastery explains firstly how is made the srtk chunk layout and secondly how to manipulate it.
The Fifth chapter (Browse and You’re Owned) shows the WebEx meeting manager activeX stack overflow. Probably the easiest to read chapter. I personally don’t get why the author preferred the use of WinDbG rather then Immunity debugger which has a lot of scripts and plugins ready to be used which might help a lot the reader.
The Sixth chapter (On Kernel to Rule Them all) walks to the Avast! kernel memory corruption vulnerability disclosed here. This is one of my favorite chapters. The author shows his confidence in finding vulnerabilities in IOCTL handlers. Probably the most complete, technical and difficult to follow chapter.
The Seventh chapter (A Bug Older Than 4.4BSD) shows another really interesting Kernel vulnerability against XNU.
The Eight chapter (The Ringtone Massacre) is the last book’s chapter. The author ends up in the mobile world walking through a classic buffer overflow found in IOS (from 1 to 3.2.1) AudioToolbox library. The beauty of this chapter is in the way the stack buffer overflow is applied to the mobile world and for this reason I consider it as “innovative chapter” perfect to be the conclusive chapter of this book.
The book presents three didactic appendixes titled: Hints For Hunting, Debugging, Mitigation.
I did enjoy reading this book. I did enjoy the way the book is written, it’s pretty different from the books I’ am used to read and I think this new way to report, pretty close to a blog, is immediate and effective. The book amazingly describes the way the author hunts the bugs and take them into vulnerabilities. I would definitely suggest this book to everyone is interested on “touch with hands” the real words exploiting processes.