Discovery of Vulnerabilities??

Chances are this question has been asked somewhere else, so if it has been, I apologize. But this question has been bugging me for some time now, and with this latest M$ RPC worm running around, I figured, "why the hell not, I'll ask it anyway."

My question is... In general, how are vulnerabilities discovered??

I can understand how more with Linux and various other open-source software since the source code can be obtained and then poured over, studied, tested, etc., then to go and write an exploit. But it seems like that might be slightly more difficult with closed-source stuff, like M$ and just about everything else on the planet. Without access to the souce code to study, how then are vulnerabilities found and exploits written?? Trial and error experimentation?? Leaks from the "inside"? I'm clueless and curious as hell.

Any light that anyone can shed on this would be greatly appreciated. I'm not looking for detailed, step-by-step instructions on how to find a brand new vulnerability or anything, just general info on the process people go through to find these things.

Thanks,
alpha

For one, you have many black hats out there who constantly look for flaws in systems, and won't stop until they find one. A lot of vulnerabilities are found that way. Sometimes, it's through the actual companies themselves, they realize their errors, report them, and publish a patch. Then, you have people that try to find vulnerabilities, similar to the ways black hats do it, except their intention is to inform the public for better security in general.

one of the ways with M$ Operating systems is the error reprt feature ...when you get an error you send a report to MS ...and if they get lot of the same report they are going to write a patch for that error ....or vulnebarity in that case ....

a very annoying feature... but it got the job done ;)

There is also software around that can help find exploits. Holodek (spelling might be wrong) is one.

That is an awesome question. Now that I'm thinking about it, how do some of those vulns get discovered?

I subscribe to several mailing lists, and generally have 5-10 vuln e-mails per day, often with exploit descriptions for that particular vulnerability. Some of them are so specific in thier implimentation, that it'd be near impossible to discover the exploit or the vuln randomly.

Wow, I can' believe that I haven't thought too much about this before! I was assuming that the freakin computer fairy just had me in his/her address book, and was e-mailing me the vulnerabilities.

Well it's not random discovery... it's very smart people who know how the operating systems or programs work, from a programmers point of view (source code, assembly, etc.) If they know and understand all of this, then finding exploits or problems might take time, but it's a very specific process.

Quote:

---

a very annoying feature... but it got the job done

---

you can disable the error report feature by following these steps:

1:Right Click My computer
2: Properties
3:Advanced:
3:Error Reporting
4:choose(check) Disable error reporting....

Vulnerabilities are discovered in a number of ways:

- Accidentally - for example when a 3rd party company develops a client with a bug in, and discovers that this client bug activates a server bug which is exploitable
- Source code analysis - the owners of the source or someone else manually or automatically scan the source code for problems
- "Fuzzers" - these are programs which deliberately throw junk at network servers.

If a bug is suspected, it may then be tested by throwing the right kind of junk at the server with a debugger attached. A popular technique is to overflow a string with "ABCDEFGH..." and then wait for the crash, then examine the instruction pointer to find out which part of the alphabet it was in.

Slarty

Thank you all for replying...it's shed some more light onto the subject.

Well, after posting last night, I dug up a copy of an old 2600 that had an article about finding and exploiting bugs. So I read that through and it and it answered a few questions, basically saying to play around with extremes. Stuff like how variables in code only supposed to read in values of a certain size, so what happens if you try one either way to small or way too big depending on what's expected. It also said to look at parts of code where a bug as already been discovered, thinking that where there's one there could be others...

I'm still curious about how it's done for closed-source software, like M$. I know I asked for general answers when I started this, but I'd like to ask for slightly more detailed answers (i.e., what is the detailed process that Plastic mentioned??), for which I do apologize. Any additional info would be greatly answered.

Thanks again all,
alpha