C/C++ Source Code Auditing, for developers, and vulnerability hunters

Xeno Kovah
January, 2024

Abstract

This is a dual-audience class. It is for both developers who want to learn how to write code without introducing new vulnerabilities (or how to detect existing vulnerabilities in their own code). But it’s also a class for aspiring code auditors and freelance vulnerability hunters. So it’s an epic battle between contentious developers and devious vulnerability hunters! Who will win?! Whoever most takes the lessons of this class to heart!

This class covers the following 10 vulnerabilities. Linear stack buffer overflows, linear heap buffer overflows, non-linear out-of-bound writes, integer overflows/underflows, “other integer issues” (signed sanity checks, integer truncation, and sign extension), uninitialized data access, race conditions (double fetch and Time of Check, Time of Use (TOCTOU)), use-after-free (UAF), type confusion, and information disclosure.

For each topic area we explain at least 6 real vulnerabilities. And for at least one of those vulnerabilities we explain how it could be exploited, so that students can understand that exploitation engineering is just a typical engineering discipline, akin to a specialized form of software engineering. And thus even when vulnerabilities perhaps don’t look exploitable, they still often are. At the end of each topic area, we cover prevention, detection, and mitigation options for dealing with that vulnerability type.

The full class takes about 5 days. However, this class structure was originally created by Xeno as the basis for an Apple-internal training for its developers, while Xeno worked there. In that quick-form, less vulnerabilities were used, and it was done in a single day. Xeno has also been contracted to customize the vulnerabilities covered in this class for companies that wanted to provide more targeted Secure Development curriculum for their developers.

If you’re interested in teaching your C/C++ developers, or junior vulnerability hunters, reach out to us with info about how many students you’d like us to teach, and where.

Real vulnerabilities covered in class:
  1. Linear Stack Buffer Overflows
    1. CVE-2021-21574 “BIOS Disconnect” (Includes exploit walkthrough)
    2. CVE-2018-9312
    3. CVE-2018-9318
    4. CVE-2020-10005
    5. CVE-2021-43579
    6. CVE-2021-20294
    7. CVE-2022-0435
    8. CVE-Unknown Samsung Baseband
  2. Linear Heap Buffer Overflows
    1. CVE-2020-0917 (Includes exploit walkthrough)
    2. CVE-2019-7287
    3. CVE-2020-11901 1 (Part of “Ripple20”)
    4. CVE-2020-25111 (Part of “Amnesia33”)
    5. CVE-2020-27009 (Part of “NAMEWRECK”)
    6. CVE-2021-21555
    7. CVE-2021-42739
  3. Non-linear Out-of-Bounds Writes (OOB-W)
    1. CVE-2019-10540 (Includes exploit walkthrough)
    2. CVE-2020-0938 (Was a 0day)
    3. CVE-2020-1020 (Was a 0day)
    4. CVE-2020-13995
    5. CVE-2020-27930 (Was a 0day)
    6. CVE-2021-26675 “T-BONE”
    7. CVE-2021-28216
    8. CVE-2022-25636
  4. Integer Overflows/Underflows
    1. CVE-2020-0796 “SMBGhost” (Includes exploit walkthrough)
    2. CVE-2019-5105
    3. CVE-2019-3568 (Was a 0day)
    4. CVE-2019-14192
    5. CVE-2020-11901 (Part of Ripple20)
    6. CVE-2020-16225
    7. CVE-2021-22636 (Part of “BadAlloc”)
    8. CVE-2021-30860
  5. Other Integer Issues
    1. CVE-2019-15948 (Includes exploit walkthrough)
    2. CVE-2019-14196
    3. CVE-2020-15999 (Was a 0day)
    4. CVE-2020-17087 (Was a 0day)
    5. CVE-2019-20561
    6. CVE-2021-33909 “Sequoia”
  6. Uninitialized Data Access (UDA)
    1. CVE-2022-26721
    2. CVE-2022-1809
    3. CVE-2021-3608
    4. CVE-2022-29968
    5. CVE-2019-1458 (Exploited in the wild, 0day, includes exploit walkthrough)
    6. CVE-2021-27080
  7. Race Conditions (including double fetch and Time of Check, Time of Use (TOCTOU))
    1. CVE-2019-11098 (Includes exploit walkthrough)
    2. CVE-2021-4207
    3. CVE-2021-34514
    4. 2022 no CVE assigned, Microsoft Mu
    5. CVE-2020-7460
    6. 2019 no CVE assigned, Qualcomm baseband firmware
  8. Use After Free (UAF)
    1. CVE-2020-29661 (Includes exploit walkthrough)
    2. CVE-2021-28460
    3. CVE-2020-2674
    4. CVE-2021-36955
    5. CVE-2020-9715
  9. Type Confusion
    1. CVE-2021-1732 (Exploited in the wild, 0day, includes exploit walkthrough)
    2. CVE-2022-21882 (Exploited in the wild, 0day, includes exploit walkthrough)
    3. CVE-2020-3853
    4. CVE-2019-14192 (Exploited in the wild, 0day)
    5. CVE-2021-30869 (Exploited in the wild, Nday)
    6. CVE-2021-30857
    7. CVE-2021-41073
  10. Information Disclosure
    1. CVE-2022-22252
    2. CVE-2022-29181
    3. CVE-2020-9833
    4. CVE-2021-3947
    5. CVE-2020-25624
    6. CVE-2019-8921
    7. CVE-2021-22898
    8. CVE-2021-22925
Request Training Quote

Secure Development Source Code Auditing Vulnerability Assessment Vulnerability Prevention Vulnereability Detection Vulnerability Mitigation Stack Buffer Overflow Heap Buffer Overflow Out-of-Bounds Writes OOB-W Integer Overflow Integer Underflow Signed Sanity Checks Integer Truncation Sign Extension Uninitialized Data Access UDA Race Conditions Double Fetch Time of Check Time of Use TOCTOU Use After Free UAF Type Confusion Information Disclosure Info Leak
Xeno Kovah
Xeno Kovah
Dark Mentor Level X

Hacking firmware like it’s no big deal.