In this article, we will take a look at a technique for bug hunting in Open Source projects by using version tracking information. In this particular case, we will look at Firefox and their Mercurial setup. By identifying patches that are connected to bugs with public reading turned off, we are able to identify specific fixes for potential security issues in a major web browser, often before releases are pushed. This is also an excellent way of coming up with Proof of Concept code for N-day bugs.
Browsing the Repos
Mozilla keeps their Mercurial setup here https://hg.mozilla.org/releases.
Go ahead and locate the mozilla-beta repository located here.
You should notice the
diff button on the left side of each commit in these repositories. By clicking any of these,
we can seee exactly what was modified during that commit. You should also notice that some of the commits are clearly
marked with links to bugzilla.mozilla.org. If you click on a few of these links, you will undoubtedly encounter
a permission denied page like the one below.
Here’s an example of a patched race condition in the extended support release (ESR).
As you can see, this is a quick and easy way of identifying offending code with security implications without using a tool like Meld or WinMerge. Both of these tools are excellent, and I use them all the time during vulnerability research.
Automating the Process
While browsing the commits earlier, you should have noticed that new commits that are not bug fixes are clearly marked
no bug in the description. Bug fixes are clearly marked with
Bug (link to bug). We will use BeautifulSoup
and urllib3 in Python for scraping specific branches and identifying potential security patches. For OPSEC reasons,
the script uses privoxy and tor for tunneling requests.
sudo apt-get install tor privoxy sudo bash -c "echo 'forward-socks4a / localhost:9050 .' >> /etc/privoxy/config" sudo service tor restart sudo service privoxy restart