This document discusses various techniques for discovering software vulnerabilities, including fuzzing. It provides background on fuzzing and outlines the different phases of a fuzzing process. It then demonstrates examples of fuzzing file formats using FileFuzz and fuzzing web applications using WebFuzz. The document also discusses fuzzing COM objects using COMRaider. Throughout, it emphasizes identifying the target, inputs, generating fuzzed data, executing tests, monitoring for exceptions, and determining exploitability.
1. Contains VeriSign Confidential and Proprietary Information
Fuzzing
Brute Force Vulnerability Discovery
Michael Sutton
Director, iDefense Labs
msutton@idefense.com
2. 2
Contains VeriSign Confidential and Proprietary Information
Agenda
+ Background
▪ What is fuzzing and who should do it?
+ Phases
▪ What are the various stages when fuzzing a target?
+ Fuzzer classes
▪ What can be fuzzed?
+ Automation
▪ Making the theoretical practical
+ Tools/Demos
▪ FileFuzz
▪ WebFuzz
▪ COMRaider
+ Advanced topics
+ The future or fuzzing
3. 3
Contains VeriSign Confidential and Proprietary Information
Vulnerability Discovery Methodologies – White Box
+ “Also known as glass box, structural, clear box and open box
testing. A software testing technique whereby explicit knowledge of
the internal workings of the item being tested are used to select the
test data.”
▪ Webopedia
+ Source code review
▪ Static analysis
▪ Pros
– Coverage
▪ Cons
– Dependencies
– Are we testing reality?
• Compiler issues
• Implementation scenarios
4. 4
Contains VeriSign Confidential and Proprietary Information
Vulnerability Discovery Methodologies – Black Box
+ “Also known as functional testing. A software testing technique whereby the
internal workings of the item being tested are not known by the tester.”
▪ Webopedia
+ Reverse engineering
▪ Static analysis
▪ Pros
– Complex vulnerabilities uncovered
▪ Cons
– Time consuming
– Deep knowledge required
+ Fuzzing
▪ Dynamic analysis
▪ Pros
– Relatively simple
– Realistic
▪ Cons
– Coverage
– Complex vulnerabilities missed
5. 5
Contains VeriSign Confidential and Proprietary Information
What is Fuzzing?
+ “Fuzz testing or fuzzing is a software testing technique. The basic idea is to
attach the inputs of a program to a source of random data ("fuzz"). If the
program fails (for example, by crashing, or by failing built-in code
assertions), then there are defects to correct.
The great advantage of fuzz testing is that the test design is extremely
simple, and free of preconceptions about system behavior.”
▪ Wikipedia
+ “Unexpected input causes unexpected results.”
▪ Michael Sutton
6. 6
Contains VeriSign Confidential and Proprietary Information
Who should fuzz?
+ Security researchers
▪ Reactive
+ QA Teams
▪ Proactive
+ Developers
▪ Proactive
Design
Development
Quality Assurance
Production Researchers
QA Teams
Developers
7. 7
Contains VeriSign Confidential and Proprietary Information
What can fuzzing do for you?
+ MS06-01 - Graphics Rendering Engine Vulnerability
▪ aka “Windows WMF Vulnerability”
▪ Appears to have been discovered through fuzzing
▪ Evidence
– Google search on strings in initial exploit identified probable source file
• JNK = c, Jun N, terminal, kitase
• kitase kinase
– At the time, Google didn’t recognize WMF file types and therefore treated them as text
allowing a search for strings within the binary
– Diffing original file and exploit revealed evidence that fuzzing was used to discover the
vulnerability
AIF = apoptosis-inducing factor
ANF = atrial natriuretic factor
apaf = apoptotic protease-activating factor
ARC = apoptosis repressor with caspase
recruitment domain
BH = bcl-2 homology
CASH = caspase homologue
CD = cluster of differentiation
DED = death effector domain
DR = death receptor
ERK = extracellular signal-regulated kinase
FADD = Fas-associated death domain protein
FasL = Fas ligand
FLAME-1 = FADD-like antiapoptotic
molecule
FLICE = FADD-homologous ICE/Ced-3-like
protease
FLIP = FLICE-inhibitory proteins
I kappa B = inhibitor of NF kappa B
I-FLICE = inhibitor of FLICE
IAP = inhibitor of apoptosis protein
ICE = interleukin-1 beta-converting enzyme
IGF = insulin-like growth factor
JNK = c-Jun N-terminal kinase
MAPK = mitogen-activated protein kinase
MEK = MAPK/ERK kinase
MEKK = MEK kinase
NF kappa B = nuclear factor kappa B
NGF = nerve growth factor
PI-3 kinase = phosphatidylinositol-3 kinase
PKB, PKC = protein kinase B and C
RAIDD = RIP-associated ICH-1/Ced-3-
homologous death domain protein
RIP = receptor-interaction protein
SAPK = stress-activated protein kinase
SEK = SAPK/ERK kinase
TdT = terminal deoxynucleotidyltransferase
TNF = tumor necrosis factor
TNFR = TNF receptor
TRADD = TNFR-associated death domain
protein
TRAF = TNFR-associated factor
TRAIL = TNF-related apoptosis-inducing
ligand
TUNEL = TdT-mediated dUTP nick end-
labeling
zVAD.fmk = benzyloxycarbonyl-valine-alanine-
aspartate fluoromethylketone
8. 8
Contains VeriSign Confidential and Proprietary Information
Phases
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
9. 9
Contains VeriSign Confidential and Proprietary Information
Fuzzer Classes
+ Command line arguments
+ Environment variables
▪ Sharefuzz (www.immunitysec.com)
+ Web applications
▪ WebFuzz (Demo)
+ File formats
▪ FileFuzz (Demo – labs.idefense.com)
+ Network protocols
▪ SPIKE (www.immunitysec.com)
+ Memory
+ COM Objects
▪ COMRaider (Demo – labs.idefense.com)
+ Inter-Process Communication (IPC)
10. 10
Contains VeriSign Confidential and Proprietary Information
Automation
+ Test cases
▪ Approach
– Pre-generated test cases
▪ Tools
– PROTOS Test Suites
▪ Pro
– Consistency
▪ Con
– Static
– Time consuming
11. 11
Contains VeriSign Confidential and Proprietary Information
Automation
+ Brute force fuzzing
▪ Approach
– Raw byte manipulation
▪ Tool(s)
– FileFuzz
▪ Pro
– Simple
▪ Con
– Inefficient
– Fails to account for dependent values (e.g. checksums)
12. 12
Contains VeriSign Confidential and Proprietary Information
Automation
+ ‘Intelligent’ fuzzing
▪ Approach
– Templates developed based on protocol definitions
▪ Tools
– SPIKE
– SPIKEfile
▪ Pro
– Efficient
▪ Con
– Time consuming
14. 14
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Identify Target
+ Application vs. file type
▪ One file type multiple targets
+ Vendor history
▪ Past vulnerabilities
+ High risk targets
▪ Default file handlers
– Windows Explorer
– Windows Registry
▪ Commonly traded file types
– Media files
– Office documents
– Configuration files
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
15. 15
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Identify Inputs
+ Proprietary vs. open formats
▪ Vendor documents
▪ Wotsit.org
▪ Google
+ Binary files
▪ e.g. images, video, audio, office
documents, etc.
▪ Headers vs. data
+ Text files
▪ e.g. *.ini, *.inf, *.xml
▪ Name/value pairs
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
16. 16
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Generate Fuzzed Data
+ Binary files
▪ Breadth (All or Range)
– Identify potential weaknesses
FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è.
D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è.
D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è.
▪ Depth
– Determine level of control/influence
D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è.
D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è.
D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è.
+ Text Files
▪ name = value
file_size = 10
file_size = AAAAA
file_size = AAAAAAAAAA
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
17. 17
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Execute Fuzzed Data
+ Command line arguments
▪ Windows explorer
– Tools…Folder Options…File Types
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
18. 18
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Monitor for Exceptions
+ Visual
▪ Error messages
▪ Blue screen
+ Event logs
▪ System logs
▪ Application logs
+ Debuggers
+ Return codes
+ Debugging API
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
19. 19
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Monitor for Exceptions
+ Execute
▪ Automated and repeated
+ Monitor
▪ Library - libdasm
▪ Capture
– Memory location
– Registry values
– Exception type
+ Kill
▪ Set timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
[*] "crash.exe" "C:Program FilesWordPerfect Office
12ProgramsUA120.exe" 2000 /qt c:fuzzast8.ast
[*] Access Violation
[*] Exception caught at 00403f06 mov eax,[eax+edi*4]
[*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac
[*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8
20. 20
Contains VeriSign Confidential and Proprietary Information
FileFuzz – Determine Exploitability
+ Skills
▪ Disassembly
▪ Debugging
+ Vulnerability types
▪ Stack overflows
▪ Heap overflows
▪ Integer handling
– Overflows
– Signedness
▪ DoS
– Out of bounds reads
– Infinite loops
– NULL pointer dereferences
▪ Logic errors
– Windows WMF vulnerability (MS06-001)
▪ Format strings
▪ Race conditions
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
24. 24
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Identify Target
+ Server vs. Application
▪ Targeting applications can uncover server
vulnerabilities
+ Vendor history
▪ Past vulnerabilities
+ High risk targets
▪ Popular applications
– Download site counters
– Google queries (johnny.ihackstuff.com)
▪ External applications
– Wikis
– Web mail
– Discussion boards
– Blogs
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
25. 25
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Identify Inputs
+ Potential input vectors
▪ Method
▪ Request-URI
▪ Protocol
▪ Headers
▪ Cookies
▪ Post data
+ Reconnaissance
▪ Web forms
▪ Authentication
▪ Hidden fields
▪ Client side scripting
+ Manual Tools
▪ Proxies
▪ LiveHTTPHeaders
+ Automated Tools
▪ Spiders
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
26. 26
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Generate Fuzzed Data
+ Intelligent fuzzing
▪ Start with legitimate web request
▪ Build template to mutate requests
+ Request format
+ Fuzz Template
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
[Method] [Request-URI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]
[Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; InfoPath.1)
Host: [Overflow]
Proxy-Connection: Keep-Alive
27. 27
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Execute Fuzzed Data
+ Fuzz classes
▪ Directory traversal
▪ Format strings
▪ Overflow
▪ SQL Injection
▪ XSS Injection
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
28. 28
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Monitor for Exceptions
+ Execute
▪ Automated and repeated
+ Monitor
▪ HTML response
– Error messages
▪ Raw response
– User input
▪ Status codes
+ Kill
▪ Set timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
29. 29
Contains VeriSign Confidential and Proprietary Information
WebFuzz – Determine Exploitability
+ Skills
▪ HTTP
▪ HTML
▪ Client side scripting
▪ SQL
+ Vulnerability types
▪ Denial of service
▪ Cross site scripting (XSS)
▪ SQL injection
▪ Directory traversal/Weak access control
▪ Weak authentication
▪ Weak session management (cookies)
▪ Buffer overflow
▪ Improperly supported HTTP methods
▪ Remote Command Execution
▪ Remote Code Injection
▪ Vulnerable Libraries
▪ HTTP Request Splitting
▪ Format Strings
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
32. 32
Contains VeriSign Confidential and Proprietary Information
COMRaider – Identify Target
+ Client side attacks
+ Vendor history
▪ Past vulnerabilities
+ High risk targets
▪ Popular applications
+ Identify ActiveX controls
▪ Choose Active DLL or OCX file directly
▪ Scan a directory for registered COM
servers
▪ Manually enter a GUID
▪ Choose from controls that should be
loadable in IE
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
33. 33
Contains VeriSign Confidential and Proprietary Information
COMRaider – Identify Inputs
+ Indentify fuzzable ActiveX controls
▪ Load and parse type library files (*.tlb) to
enumerate interfaces
or
▪ Create a live instance of the object to
query and load interface information
+ Scriptable ActiveX controls
▪ Accessible by web servers via Internet
Explorer
– Controls marked as Safe for Scripting or
implementing IObjectSafety
– Controls support IDispatch or IDispatchEx
interfaces
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
34. 34
Contains VeriSign Confidential and Proprietary Information
COMRaider – Generate Fuzzed Data
+ Examine each function and identify
variable types to determine fuzzing
scenarios
▪ Supported
– Ints
– Longs
– Doubles
– Strings
– Variants
▪ Not supported
– Singles
– Bytes
– Bools
+ Dynamically created Windows Script
Files (*.wsf)
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
35. 35
Contains VeriSign Confidential and Proprietary Information
COMRaider – Execute Fuzzed Data
+ Windows Script Host (wscript.exe) used
to execute *.wsf files
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
36. 36
Contains VeriSign Confidential and Proprietary Information
COMRaider – Monitor for Exceptions
+ Execute
▪ Automated and repeated
+ Monitor
▪ Debugger - crashmon.dll
– Record handled/unhandled exceptions
▪ Window logger
– Record/clear error dialogs
– Record modal windows
+ Kill
▪ 8 second timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
37. 37
Contains VeriSign Confidential and Proprietary Information
COMRaider – Determine Exploitability
+ Skills
▪ Disassembly
▪ Debugging
+ Distributed auditing
▪ Audit results uploaded to and
downloaded from central MySQL server
+ Exceptions logged
▪ Exception code
▪ SEH chain
▪ Call stack
▪ Register values
▪ Recent/future opcodes
▪ Argument dump
▪ Stack dump
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
39. 39
Contains VeriSign Confidential and Proprietary Information
Advanced Topics
+ Fuzzing Frameworks
+ Automated structure identification
+ Fuzzer tracking (code coverage)
+ Intelligent exception detection and processing
40. 40
Contains VeriSign Confidential and Proprietary Information
The Future of Fuzzing
+ Tools
▪ Frameworks
▪ Integrated test environments
▪ Commercial tools
+ People
▪ Wider audience
▪ Proactive fuzzing – the shift from offense to defense