A Strategic Guide To Discovering Software Vulnerabilities

Many people have expressed an interest in how eEye goes about discovering vulnerabilities in software. Because of the interest, this article is an overview of the basic process from a researcher's perspective.

To begin the search for a vulnerability, the first priority is to identify a piece of mission-critical software that warrants vulnerability research. After identifying a product, we need to understand the software product inside and out, including the features it provides as well as the internal processing component. The degree of information that can be acquired from existing sources depends largely on the software.

For commercial software products that are widely used and easily attainable, there is typically a wealth of information on how the product works, the protocols it uses, and how each protocol functions.

For custom programs, and software with a limited installation base, the project requires much more intensive research. Not having access to the software, binaries, or source makes the effort even tougher but certainly not impossible. In this case, we exhaust all available resources in an effort to obtain an understanding of how the software communicates and works. If the product being researched communicates using an undocumented protocol, then a considerable amount of reverse engineering may be needed in order to understand how the product communicates. This knowledge leads to an understanding of the areas where the product could possibly be vulnerable. In most cases, there is ample information to facilitate looking for vulnerabilities.

As an example, a web server product provides considerable information to jump-start vulnerability research. Since the web server is going to be using the HTTP protocol for its communication, one can begin by reviewing the many existing documents on how the HTTP protocol functions.

After going through the documented functionality of a product or protocol, reverse engineering will be required to search out undocumented (or poorly documented) functionality that may exist within the product. Some of the better reverse engineering tools for Windows would be IDA (Interactive Disassembler) (http://www.datarescue.com/) and Softice (http://www.numega.com). Some people prefer to use only a Strings program to search the software for hidden commands and other elements, but I strongly suggest learning some ASM and using tools like IDA and Softice to compliment a Strings tool.

Obviously, knowledge of past vulnerabilities can also provide valuable insight as to which processes of software products are most vulnerable, and which type of vulnerability tends to appear depending on the type of process. Most software vulnerabilities share a set of common characteristics as to how they are exploited and nearly all of today's software vulnerabilities are due to an error in how the program handles user-supplied data.

User-supplied data refers to the input that the software user provides as opposed to the data that the software program generates for its own internal processing. User-supplied data can be processed directly by the target program (e.g. overflowing the user command on a FTP server) or else the data can be passed through secondary software, eventually reaching your target program (e.g. a SQL attack via a web-based application).

The main goal of researching the target software is twofold: identifying all of the possible ways to supply data that is processed by the application and identifying possible flaws within the software program. If a match can be found between a data entry point and a piece of vulnerable code (i.e. if the user-supplied data deals with the vulnerable code at any point during processing) then a software vulnerability exists.

Although performing external research on a software product can provide insight into where you can find flaws, actually examining the program's code can reveal many vulnerabilities as well. A binary auditing tool allows researchers with strong Assembly and engineering backgrounds to proficiently step through the source of a software program. Finding a piece of vulnerable code during binary auditing does not always equate to an exploitable vulnerability. For instance, once the vulnerable code is identified, we must determine if and where a piece of user data can be supplied so that it works into the vulnerable code. This step is not always easy, but advancements in tools that assist in this process have made scanning through binary data for exploitable vulnerabilities much less daunting.

Another way to search out potentially exploitable flaws in a target program is to utilize the knowledge gained regarding the network/protocol workings within the software. This knowledge allows the building of customized tools (in Perl, C, C++, etc.) that automate the testing of the software in order to find vulnerabilities by "brute force".

A basic program can be written that tests specific functionalities of the software, such as a web server testing tool that iterates through all possible HTTP headers and tries to overflow them by incrementing buffers. However, once research has been conducted on the target software, a more sophisticated testing system can be built that reflects a deeper understanding of the product's functionality and interdependencies. In addition, an understanding of vulnerability classes and how they relate to specific product functionality is useful in creating an efficient testing system that eliminates implausible testing scenarios.

The end result of a testing system will yield many different "attacks" based on comprehensive knowledge of what user-supplied data a program is manipulating in conjunction with knowledge of the types of vulnerabilities that can potentially be passed via this user-supplied data. If built correctly, this testing system will begin to find areas of the software program that fail when tested; thus, pointing out vulnerable code.

In conclusion, a thorough understanding of the software, comprehensive research, an understanding of potential vulnerabilities associated with a programs internal components, and lots of practice enables eEye to discover software vulnerabilities. Since training on this subject is hard to come by, I hope this overview was helpful in providing you with a little background on what it takes to find vulnerabilities.

Marc Maiffret
Chief Hacking Officer
eEye Digital Security

P.S. If you are interested in reading a bit more about reverse engineering and binary auditing from a security perspective, be sure to check out the link to "Auditing Closed-Source Applications" in our Etcetera section below.

Newsbyte: Microsoft Patches Ten New Security Bugs In IIS
"Microsoft released a bundle of software patches today that close several 'critical' security holes in its popular Web server." Full Article

Newsbytes: Security Bug Disclosure Standard Dead In the Water
"Proponents of an effort to standardize the handling of computer security vulnerabilities today aborted the effort after receiving critical comments from reviewers." Full Article

Network World: Sniffing with Iris
"In larger networks the problem of figuring out how the system broke or what went wrong can be extremely difficult. And when you are trying to reconstruct something as complex as a virtual breaking and entering any help you can muster could, at the very least, save your sanity." Full Article

USA Today: FBI Survey Finds Computer Attacks Up
"Most large corporations and government agencies have been attacked by computer hackers, but they frequently do not inform authorities of the breaches, an FBI survey finds." Full Article

Q: Does SecureIIS stop more than just IIS specific attacks?

A: One of the best things about SecureIIS is that not only can it stop both known and unknown IIS (Internet Information Services) specific attacks, but that it can also prevent attacks launched against any third-party web server applications or custom web page scripts. This ability provides clients with a pro-active security QA assessment that will keep web servers safe in the event that an engineer may have made have overlooked a security issue during development.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Partners With St. Bernard Software to Bundle Retina and UpdateEXPERT
We are pleased to announce the exciting news that eEye Digital Security has partnered with St. Bernard Software to bundle two best-of-breed products. Through this partnership we are addressing two of the most critical aspects of proactive security: vulnerability assessment and remediation.

Click here to view the press release: http://www.eeye.com/html/press/PR2002048.html Full Article

SecureIIS 1.2.6 Is Now Available
This latest version of SecureIIS has made a great leap in overall protection of your web servers, including protection covering a new class of attack discovered and researched by eEye. We at eEye, as always, like to bring you cutting-edge and complete security unmatched by any other product.

If you are a SecureIIS user and have not yet downloaded and installed this new version, we urge you to do so as soon as is convenient. Full Article

Online Product Demonstrations
eEye Digital Security is offering the unique opportunity to participate in online live demonstrations of Retina (winner of the Network World 2002 Blue Ribbon Award for best vulnerability assessment scanner) and SecureIIS (voted by Windows 2000 magazine as one of the Three Great Security Tools). Through interaction with an eEye team member, you will see a real-time Retina scan and SecureIIS in action. Live Demos provide the opportunity to learn about:

• The company behind the products
• The role of eEye products in protecting your networks
• Key features and capabilities of SecureIIS and Retina

Paper - Auditing Closed-Source Applications
For further reading on our Tech Talk article topic "A Strategic Guide To Discovering Software Vulnerabilities", check out HalVar Flake's advanced concept paper. The topic focus on researching applications in a security context, and include reverse engineering and stress testing at the network level. More

Ryan Permeh on Hack Proofing Your Network
eEye engineer Ryan Permeh collaborated with several others to complete Hack Proofing your Network Volume 2 which is now available in bookstores.

This book follows up the first edition's successful tradition of bringing some of the best minds in computer security together to give a different take on network security. The hack-proofing series focuses on in depth technical ways of attacking your network, setting it apart from most other "hacking" texts available today.

Ryan's chapter focusing on what a buffer overflow attack is, and how to exploit it, also includes contributions from eEye engineer Riley Hassell. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.