-
Fuzzing your browser
Attacks on browsers are becoming common day by day, for example the latest
IMG tag bug in Internet Explorer, lets discuss a tool to find bugs in browsers.
The program we are going to discuss is mangleme, from famous security guru Michal Zalewski.
Things you will need
1. A web server , Apache recommened.
2. A compiler to build the program, gcc or Mingw recommended.
3. The program
Mangleme .
What's mangleme ?
It is a cgi program used to automatically check for HTML parsing flaws. Generates
a basic set of badly mangled tags on request, with auto-refresh back to the
script, so that you can point a browser to it once, and let it run until
it crashes.
At this point i assume you have got Apache working. To build mangle me run these commands
gcc -Wall -O3 -fomit-frame-pointer -funroll-loops -o mangle.cgi mangle.cgi.c
gcc -Wall -O3 -fomit-frame-pointer -funroll-loops -o remangle.cgi remangle.cgi.c
at this point you have two cgi programs mangle.cgi and remangle.cgi copy them to the
apache cgi-bin directory.
Run apache and point your browser to http://localhost/cgi-bin/mangle.cgi
and see the browser being fuzzed if it crashes you have found a bug.
To reproduce the request which crahed the browser remangle is used, look for
the last request that crashed the browser in tha apache logs and extract the
hexadecimal value, then invoke remangle.cgi?hex_value from the browser again. For
example if the following request crashed your browser
[Wed Jan 18 09:01:37 2006] [error] [client 127.0.0.1] [1137555097] Mangle attempt 0x472db699 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6) -- 127.0.0.1\n
The hexvalue would be 0x472db699. Then do
wget http://127.0.0.1/cgi-bin/remangle.cgi?0x472db699
To save the faulting page, you could use any other browser or utility
other that wget, that woud not crash.
My browser did not crash !.
Mangleme is also extensible in a way that you can add new tags by editing tags.h
header file which looks like
#define MAXTAGS 80
#define MAXPARS 20
static char* tags[MAXTAGS][MAXPARS] = {
{ "A", "NAME", "HREF", "REF", "REV", "TITLE", "TARGET", "SHAPE", "onLoad", "STYLE", 0 },
.......
.......
{ 0 }
};
for example if i wanted to fuzz the <P> (the paragrah tag) , i would increase MAXTARGS value by
1 and add a entry
{"P","STYLE","ALIGN",0},
and rebuild mangleme.
I have full package built for convinience, it is apache 1.3.31 which would listen on locahost
*only* on port 80, also mangleme source and binaries are included
-
i was intrigued since i use to run apache when i had cable, but i got lost in the technical stuff:(