This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.
For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!
The fun part about this book is that Tobias takes you through exact steps he took while finding a software vulnerability (finding the vuln -> exploit -> patch). The book is well-written and it often goes over the same thing twice back-to-back, which is nice if you don’t pick up things quickly. I really found the numbered step-by-step diagrams for a review of the complicated stuff helpful. He focuses on vulns like buffer overflows and type conversions and stays away from over talked about stuff like SQL injection and XSS attacks.
While the majority of the bugs explained are source code based buffer overflows it is really cool to see him diversify and go after 5 different operating systems in the book! The book is laid out with 7 different bugs that Tobias found: 4 with source code diving, 2 with IDA Pro, and 1 with fuzzing. Most of these were found in 2007 and 2008 (the iPhone vuln was found in 2009). It was nice to have a bug he found with something other than reading code line-by-line (Chapter 9’s fuzzer), unfortunately the fuzzer was naive. It was cool to get some IDA Pro love in a couple chapters. Even though Tobias continually apologizes for not supplying the exploit (I guess it is illegal in Germany), it didn’t bother me one bit.
A highlight for me was when Tobias tells you what happened after he reports each vulnerability (which he always did properly and ethically). In some cases the vendor took 471 days to permanently fix the bug; other times the vendor introduced new bugs :). Interesting to see how vendors responded to him as they didn’t know they’d be in a book.
Three individual bug highlights for me was the bug he found in the OS X kernel which was a known bug from BSD that was patched way back in 1994, but was never fixed in the OS X kernel! The VLC vulnerability he found didn’t have all of the special protection mechanisms that Windows implements because it was compiled with Cygwin instead of Visual Studio which made his exploitation much easier. I also liked reading how he went about exploiting a NULL pointer deference, since they typically not exploitable.
Overall, this was a fun read and much easier to casually enjoy than an epic book like TAOSSA (which has some common themes). This book highlights the fun aspects of bug hunting and has cool stories to go along with each bug.