Bug Hunting with Mercurial

In this article, we will take a look at a technique for bug hunting in Open Source projects by using version tracking information. In this particular case, we will look at Firefox and their Mercurial setup. By identifying patches that are connected to bugs with public reading turned off, we are able to identify specific fixes for potential security issues in a major web browser, often before releases are pushed. This is also an excellent way of coming up with Proof of Concept code for N-day bugs.

Browsing the Repos

Mozilla keeps their Mercurial setup here https://hg.mozilla.org/releases. Go ahead and locate the mozilla-beta repository located here. You should notice the diff button on the left side of each commit in these repositories. By clicking any of these, we can seee exactly what was modified during that commit. You should also notice that some of the commits are clearly marked with links to bugzilla.mozilla.org. If you click on a few of these links, you will undoubtedly encounter a permission denied page like the one below.

Bugzilla report

Here’s an example of a patched race condition in the extended support release (ESR).

ESR race condition

As you can see, this is a quick and easy way of identifying offending code with security implications without using a tool like Meld or WinMerge. Both of these tools are excellent, and I use them all the time during vulnerability research.

Automating the Process

While browsing the commits earlier, you should have noticed that new commits that are not bug fixes are clearly marked as no bug in the description. Bug fixes are clearly marked with Bug (link to bug). We will use BeautifulSoup and urllib3 in Python for scraping specific branches and identifying potential security patches. For OPSEC reasons, the script uses privoxy and tor for tunneling requests.

sudo apt-get install tor privoxy
sudo bash -c "echo 'forward-socks4a / localhost:9050 .' >> /etc/privoxy/config"
sudo service tor restart
sudo service privoxy restart

Example Output

Example output

Happy Hunting!

comments powered by Disqus