0

What is the most probable way the vulnerabilities like CVE-2014-4148 are discovered? How long does it take to find such one? Are there other ways? Which is the most successful one?

assp1r1n3
  • 133
  • 1
  • 1
  • 7
  • Sometimes, someone is facing a bug and it reveals a vulnerability. Mostly, CVE are found by fuzzing and reversing applications, in this case, the windows kernel code. – r00t Jun 22 '15 at 12:27
  • So you suppose that the "Duqu" development team were just randomly fuzzing different parts of Windows Kernel? – assp1r1n3 Jun 22 '15 at 12:29
  • Yes, I suppose they have been fuzzing windows API and looking for a kernel mode vulnerability. – r00t Jun 22 '15 at 12:31
  • 1
    This question should include a brief description of what the vulnerability is, and not just a CVE number. – kasperd Jun 22 '15 at 14:33
  • We can't really keep this question in the format it is. First, there is a general question on the topic, so you should explain why your CVE doesn't fit the general case. Second, you should summarise the CVE and its attack vector in the question to make it self-contained. Third, you should restrain from asking multiple questions at a time, especially questions such as "How long does it take" or "which is the most successful". Unfortunately little research data is available to provide a complete and objective answer to such questions. – Steve Dodier-Lazaro Jun 24 '15 at 12:51

1 Answers1

3

Fuzzing and reversing. Kernel mode vulnerabilities can be discovered by fuzzing the working code, and if any memory corruption occurs, you can try to reverse the app and, try to write suitable exploit for it. But it is illegal, you must know it :)

caner
  • 56
  • 2
  • What is the chance to find vuln like the one above? Are there any other ways? – assp1r1n3 Jun 22 '15 at 12:30
  • The vulnerability CVE-2014-4148 is a ms exploit, so that you can not reach its source code, so you must reverse it, and fuzz it. I don't know another way to do it. Also there is really little chance, you can find one. To increase your chance you can read about from somewhere about vulnerability research books or exploit dev books, essays – caner Jun 22 '15 at 12:34
  • the guys who found it were really lucky despite their qualification, right? – assp1r1n3 Jun 22 '15 at 12:37
  • Yeah, they are lucky, but preparing its expoit is not only luck :) I think they are experienced and determined people. – caner Jun 22 '15 at 12:40
  • Yes as @caner said, they are experienced and they might have been searching for a long, long time. – r00t Jun 22 '15 at 13:00
  • @r00t how long you think? – assp1r1n3 Jun 22 '15 at 13:01
  • Really difficult to answer. It really depends but personally I think a team has been searching (not one guy only) with really good knowledge of windows internals. I would say several weeks/months for sure. – r00t Jun 22 '15 at 13:04