Results 1 to 8 of 8

Thread: Application Fuzzing

  1. #1

    Application Fuzzing

    Application Fuzzing
    by Soda_Popinsky

    Links
    http://www.idefense.com/iia/labs-software.jsp

    Overview

    A good way to describe fuzzing is found on SpiDynamics website:
    "Fuzzing" is an automated software testing technique that generates and submits random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities. For example, when searching for buffer overflows, a tester can simply generate data of various sizes and send it to one of the application entry points to observe how the application handles it.
    At an abstract level, fuzzing can also be described as "organized chaos". Give a fuzzer a specific set of rules, protocol, or a standard of some sort (or none), and you can create randomized chaos to hopefully create an exception to the rule.

    A more practical description: When an application comes across a certain situation or data it didn't expect to see, but is programmed to handle anyway, you cause an exception. Whether the exception is handled appropriately or not is where vulnerability comes into question. A fuzzer will output random, unpredictable results, and hope to find a combination or situation that will cause it's target to fail.

    This technique is useful in many areas involving any sort of input validation. This tutorial will describe the usage of an application by iDEFENSE which "fuzzes" data into specific file formats, and automates the process of testing the generated files with their respective applications.

    FileFuzz is available at:
    http://www.idefense.com/iia/labs-software.jsp

    Creating Files

    FileFuzz (FF) has presets for some common files. They can be found in the dropdown menu at the top of the screen. The following are the presets, file extension followed by the software that the filetype will be tested againt:

    bkf - ntbkup.exe
    cbo - orun32.exe
    chm - hh.exe
    hlp - winhlp32.exe
    ht - winhlp32.exe
    jpg - iexplore.exe
    pdf - AcroRd32.exe
    rm - RealPlay.exe
    vcf - OUTLOOK.EXE
    wab - wab.exe
    wmf - shimgvw.dll

    By selecting a preset, you use a sample file provided by FF to fuzz against.

    Below, change the radio button from "All bytes" to range, 0-10 as a quick start. You can then hit the create button to start creating files. (The selection "All Bytes" can risk taking up a lot of disc space) You can then see the files created in the default folder (c:\fuzz\filetype\)

    What this did is create files that are similar to the sample (source) file, and fuzzing specific areas, such as range 0-10 bytes like we specified. You can see the effects by hex editing the files. The first ten bytes in all of the files output by FF will have different patterns.

    Custom Filetypes

    Create a file, FuzzMe.hrt, and open it in a text editor. Fill it with the following contents:
    1111,2222,3333,4444

    We're going to pretend that FuzzMe.hrt is read by another application, and the contents (1111,2222....) will be read and acted upon by the application.

    You can specify this as your source file in FF. My example, FuzzMe.hrt, seems to be comma delimeted. If we want to attack a certain field in this file, we can configure FileFuzz to do that.

    We're going to attack the first field of FuzzMe.hrt. In the scope box, set the range to 0-3, and check out the output files with a hex editor. You'll see it altered only the first 4 bytes of the file (within the field we wanted to attack). If we change it to 5-8, it would attack the second field, and so on. We can also set what bytes to fill it with, to what length (Buffer Overflows), and if we want to match patterns.

    Automated Execution

    Clicking the box, "Execute" at the top will change FF to it's execution interface. You can specify the software you want to run the fuzzed files under, automating the attack process. You can specify the path of the application you are attacking with your fuzzed files, as well as any necessary arguments need to run the application.

    The start and finish file numbers tell FF what fuzzed files it's going to attack the application with. FF will create fuzzed files named 1.ext, 2.ext, 3.ext and so on, so the start / finish section will help you prevent your attack from running too long.

    By selecting execute, FF will then run through the fuzzed files and attack the specified application. By detecting exceptions that result, it makes fuzzing attacks much easier.

    Real Results

    By reading the standards behind specific file formats, you can specify what parts of an application may be vulnerable. The types of vulnerabilities that could be discovered from a process like this are similar to the following:

    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
    http://www.microsoft.com/technet/sec.../MS04-028.mspx

    Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)
    http://www.microsoft.com/technet/sec.../MS05-036.mspx

    libtiff STRIPOFFSETS Integer Overflow Vulnerability
    http://www.idefense.com/application/poi/display?id=173

    Winamp remote buffer overflow vulnerability
    http://security.lss.hr/index.php?pag...LSS-2005-07-14

    Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)
    http://www.microsoft.com/technet/sec.../MS05-022.mspx

    The Antivirus Vector

    As a personal insight...

    The easiest vector into an AV is to let the AV scan a malicious file. Because file formats are getting more complex (zip, rar, encryption, interpretation) it means AV is becoming more complex to handle it (can you say... heuristics?). Where complexity arises, so does vulnerability. File fuzzing gives a direct opportunity to discover exploitable holes in AV heavily in the future.

    AV's are popular on mailservers. A simple vector against a mailserver would be to exploit the AV running on it, because it would have to process your attachment. Fuzzing will be a simple research tactic against AV's, maybe not through FileFuzz, but maybe in more advanced applications in the future.

    Clam AntiVirus FSG File Processing Overflow
    http://www.osvdb.org/displayvuln.php?osvdb_id=18259
    http://secunia.com/advisories/16180

    ClamAV Multiple Integer Overflow Vulnerabilities
    http://secunia.com/advisories/16180/
    ----

    Thanks, feedback appreciated.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    It definately looks like a very interesting subject.... and a very interesting tool...

    However I'm getting lost everytime I read it... I find myself with more questions.. and I've read it three times now, every time I read it.. It's like it lacks explanations of what you're doing at certain stages etc... This may be because I'm exhausted and on the verge of passing out... I'm heading off for a nap right now, but it's just not sinking into my brain...

    I'll give it another go when I get up... Maybe it'll be more clear then.... Definately a nice topic to see written about though.


    Peace,
    HT

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Thanks Soda!

    And in walks a "Firewall Guy" look'in like he saw a ghost!

    As you know some firewall types don’t really consider the packet data. They usually just confirm the destination and source addresses when determining to allow or block packet passage. So slipping some fuzzed files past them and the AV via email or the Internet, might be elementary.

    And the “Application Layer Firewalls” like to get in there and mix it up to ensure everything is acting in accordance with the intended use of an application. If it determines that an application is not following the prescribed policies (attack detected), you might not want to cease all port activity, so you probably already configured it to stop or isolate the traffic from the offending IP Address.

    Since this type of Firewall is involved the processes and validates input, fuzzing could make a deviant application/file appear normal and not detect the attack or take any action! I confirmed my suspicions when I found "The Art of File Format Fuzzing" that was presented at Black Hat USA 2005

    It would appear that this is becoming quite the attack method. So thanks much for the info and to quote you from one of my threads,

    "3 words...Holy freakin cow!"

    ~cheers~
    Connection refused, try again later.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Nice work. Fuzzing isn't new but given the increase in application complexity, it certainly has earned a home in our standard black box testing routine.

    I like the way you layed out this topic.



    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Thanks for the comments.

    Horse-

    but given the increase in application complexity, it certainly has earned a home in our standard black box testing routine.
    What do you use for fuzzing? I decided FileFuzz isn't smart enough... I may write my own tool if I can't find a better solution.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    What do you use for fuzzing?
    OpenSTA, a sourceforge project.

    I also have a home grown PERL script.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Just a FYI...

    The WHAX (formerly whoppix) Live CD Distro has a couple of fuzzers included in it.

    /pentest/fuzzers

    bed-v.0.5 - http://www.snake-basket.de/
    BED is a program which is designed to check daemons for potential buffer overflows, format string bugs etc.

    fuzzer-1.1 - http://hack3rs.org/~shadown/Twister/
    Fuzzer is a Net-Twister module that help in the Vulnerability Research and Development process.

    fuzzer-mod - http://hack3rs.org/~shadown/Twister/
    Fuzzer is a Net-Twister module that help in the Vulnerability Research and Development process (moded version).

    spike-v.2.9 - http://www.atstake.com/
    This is SPIKE, a Fuzzer Creation Kit.
    http://www.portsonline.net/whaxlist.html

    http://iwhax.net/modules/news/
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    in a previous discussion on fuzzing several links were given. you can check them out here

    at the time i wanted to look into it deeper and didn't have time. thanks for re-newing my interest and making it clearer with this tut. maybe i'll learn something this time...maybe not
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •