Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CodeQL lets you query code as though it were data. Using this taint analysis can be done in order to find anti-patterns.

The author used a CodeQL query in order to track user controlled sizes being used. Although this is NOT a vulnerability by itself, it is a good pattern to follow to find bugs. After running this query, several data points were returned, with a single one leading to memory corruption.

While parsing a frame, two main bugs occur. First, the header length is subtracted from the buffer, even if an invalid packet was sent. If this size was smaller than the subtracted value, this turns the value into a large positive number.

The second bug (with the size) is that an allocated buffer is created from the size passed in, but not restricted to this size. So, while uncompressing the data, an overflow occurs in a linked list structure.

To me, the interesting thing was the usage of CodeQL. CodeQL did not discover the bug. But, it gave a nice place to point in order to look for bugs. I may be adding to this my toolbox in the near future.