Results 1 to 4 of 4

Thread: Browser crashers warm to data fuzzing

  1. #1

    Browser crashers warm to data fuzzing


    Came across this little article and thought i would share it, as i was pretty shocked once finishing reading it.
    Wether it's fact or fiction it's still an interesting read.

    Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.

    The technique - called packet, or data, fuzzing - is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers.

    In another example, it took less than an hour at the CanSecWest Conference last week for Moore and computer-science student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.

    "Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."

    Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a website visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.

    Microsoft stressed that the issues are still under investigation.

    "Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."

    The effectiveness of fuzzing at defining quality and security issues is nothing new.

    Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for internet telephony.

    Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on web browsers and desktop security software to date.

    "Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.

    The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious websites.

    Browser crashers warm to data fuzzing

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Actually, I am not that surprised, and it is nothing new.

    This approach started life as a systems QA tool long before the internet as we know it was even thought of. Yes I am going back to mainframes and dumb terminals here

    You would deliberately enter gibberish into the system you were testing to determine its stability, error handling and user guidance capabilities.

    Please remember that back then, a lot of stuff ran in batch and was effectively unattended by anyone who would know what to do if things went pear-shaped.

    Later, as things became more "thick client", insofar as mainframe systems can be you aimed at intercepting errors at the data entry point, so you wrote batch or interactive validation scripts (remember that the hardware was rapidly getting more powerfull) to intercept stuff before it got to the batch processing stage. Please remember that the objective was to get as much stuff to go through "first pass" as possible. Otherwise the batches got suspended and had to be corrected the following day.

    Part of the objective was to allow increased number of transactions and retain or reduce staffing levels.

    OK so the browser crashes OMG! shock, horror! He sounds as if he has never even seen a BSOD or had to reboot Windows.

    Normally, and as it would seem in the vast majority of these cases, when an application crashes, that is it, communication over.

    I would need to see concrete examples of where crashing a browser allowed the remote site to remain in contact with the target machine and exploit that contact, before I will regard this "revelation" as anything more than FUD.

    Anyone got a POC or a "wild"?

    Just my thoughts......................................

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    This is somewhat old news now.... HDM's tool was released a month or two ago and the reason it's making the news now is because of his talk at CanSecWest and the recent microsoft patches for many of the problems..

    You can read more about HDM's talk at Timothy Keanini's (TK) (who was quoted in the article that f2b posted) blog entry @ http://blog.ncircle.com/archives/200...stcore0_5.htm. (Although I might be a little biased in all of this )

    You can play with the tools in question at:

    They are quite interesting tools and fun to play with.. especially if you've got a junky little browser that no one ever worries about..

    HDM also has an interesting blog entry on Browser fuzzing and how there's been tools around since 2004... you can read it @ http://metasploit.********.com/2006/...nd-profit.html

    Browser fuzzing is some pretty cool stuff... actually fuzzing any application is pretty cool stuff....

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Considering that "fuzzing" has been going on for 40 years or more, I do not see how it can be "cool" it should have warmed up a bit by now?

    Incidentally, it is still as valid an applications test technique as it ever was. Very powerful and easy/cheap to employ. Even easier with today's tools

    Hey, I can remember using MS Access on a big project way back then...................real handy for database analysis.....................just an ASCII dump from the mainframe, format, load and away you go. A lot easier than the more traditional OCL, SQL, CLP et cetera.

    We have a lot better tools these days?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts