msutton-fuzzing.ppt

Contains VeriSign Confidential and Proprietary Information
Fuzzing
Brute Force Vulnerability Discovery
Michael Sutton
Director, iDefense Labs
msutton@idefense.com

2
Agenda
+ Background
▪ What is fuzzing and who should do it?
+ Phases
▪ What are the various stages when fuzzing a target?
+ Fuzzer classes
▪ What can be fuzzed?
+ Automation
▪ Making the theoretical practical
+ Tools/Demos
▪ FileFuzz
▪ WebFuzz
▪ COMRaider
+ Advanced topics
+ The future or fuzzing

3
Vulnerability Discovery Methodologies – White Box
+ “Also known as glass box, structural, clear box and open box
testing. A software testing technique whereby explicit knowledge of
the internal workings of the item being tested are used to select the
test data.”
▪ Webopedia
+ Source code review
▪ Static analysis
▪ Pros
– Coverage
▪ Cons
– Dependencies
– Are we testing reality?
• Compiler issues
• Implementation scenarios

4
Vulnerability Discovery Methodologies – Black Box
+ “Also known as functional testing. A software testing technique whereby the
internal workings of the item being tested are not known by the tester.”
▪ Webopedia
+ Reverse engineering
▪ Static analysis
▪ Pros
– Complex vulnerabilities uncovered
▪ Cons
– Time consuming
– Deep knowledge required
+ Fuzzing
▪ Dynamic analysis
▪ Pros
– Relatively simple
– Realistic
▪ Cons
– Coverage
– Complex vulnerabilities missed

5
What is Fuzzing?
+ “Fuzz testing or fuzzing is a software testing technique. The basic idea is to
attach the inputs of a program to a source of random data ("fuzz"). If the
program fails (for example, by crashing, or by failing built-in code
assertions), then there are defects to correct.
The great advantage of fuzz testing is that the test design is extremely
simple, and free of preconceptions about system behavior.”
▪ Wikipedia
+ “Unexpected input causes unexpected results.”
▪ Michael Sutton

6
Who should fuzz?
+ Security researchers
▪ Reactive
+ QA Teams
▪ Proactive
+ Developers
▪ Proactive
Design
Development
Quality Assurance
Production Researchers
QA Teams
Developers

7
What can fuzzing do for you?
+ MS06-01 - Graphics Rendering Engine Vulnerability
▪ aka “Windows WMF Vulnerability”
▪ Appears to have been discovered through fuzzing
▪ Evidence
– Google search on strings in initial exploit identified probable source file
• JNK = c, Jun N, terminal, kitase
• kitase  kinase
– At the time, Google didn’t recognize WMF file types and therefore treated them as text
allowing a search for strings within the binary
– Diffing original file and exploit revealed evidence that fuzzing was used to discover the
vulnerability
AIF = apoptosis-inducing factor
ANF = atrial natriuretic factor
apaf = apoptotic protease-activating factor
ARC = apoptosis repressor with caspase
recruitment domain
BH = bcl-2 homology
CASH = caspase homologue
CD = cluster of differentiation
DED = death effector domain
DR = death receptor
ERK = extracellular signal-regulated kinase
FADD = Fas-associated death domain protein
FasL = Fas ligand
FLAME-1 = FADD-like antiapoptotic
molecule
FLICE = FADD-homologous ICE/Ced-3-like
protease
FLIP = FLICE-inhibitory proteins
I kappa B = inhibitor of NF kappa B
I-FLICE = inhibitor of FLICE
IAP = inhibitor of apoptosis protein
ICE = interleukin-1 beta-converting enzyme
IGF = insulin-like growth factor
JNK = c-Jun N-terminal kinase
MAPK = mitogen-activated protein kinase
MEK = MAPK/ERK kinase
MEKK = MEK kinase
NF kappa B = nuclear factor kappa B
NGF = nerve growth factor
PI-3 kinase = phosphatidylinositol-3 kinase
PKB, PKC = protein kinase B and C
RAIDD = RIP-associated ICH-1/Ced-3-
homologous death domain protein
RIP = receptor-interaction protein
SAPK = stress-activated protein kinase
SEK = SAPK/ERK kinase
TdT = terminal deoxynucleotidyltransferase
TNF = tumor necrosis factor
TNFR = TNF receptor
TRADD = TNFR-associated death domain
protein
TRAF = TNFR-associated factor
TRAIL = TNF-related apoptosis-inducing
ligand
TUNEL = TdT-mediated dUTP nick end-
labeling
zVAD.fmk = benzyloxycarbonyl-valine-alanine-
aspartate fluoromethylketone

8
Phases
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability

9
Fuzzer Classes
+ Command line arguments
+ Environment variables
▪ Sharefuzz (www.immunitysec.com)
+ Web applications
▪ WebFuzz (Demo)
+ File formats
▪ FileFuzz (Demo – labs.idefense.com)
+ Network protocols
▪ SPIKE (www.immunitysec.com)
+ Memory
+ COM Objects
▪ COMRaider (Demo – labs.idefense.com)
+ Inter-Process Communication (IPC)

10
Automation
+ Test cases
▪ Approach
– Pre-generated test cases
▪ Tools
– PROTOS Test Suites
▪ Pro
– Consistency
▪ Con
– Static
– Time consuming

11
Automation
+ Brute force fuzzing
▪ Approach
– Raw byte manipulation
▪ Tool(s)
– FileFuzz
▪ Pro
– Simple
▪ Con
– Inefficient
– Fails to account for dependent values (e.g. checksums)

12
Automation
+ ‘Intelligent’ fuzzing
▪ Approach
– Templates developed based on protocol definitions
▪ Tools
– SPIKE
– SPIKEfile
▪ Pro
– Efficient
▪ Con
– Time consuming

13
FileFuzz

14
FileFuzz – Identify Target
+ Application vs. file type
▪ One file type  multiple targets
+ Vendor history
▪ Past vulnerabilities
+ High risk targets
▪ Default file handlers
– Windows Explorer
– Windows Registry
▪ Commonly traded file types
– Media files
– Office documents
– Configuration files
Identify target
Identify inputs
Execute fuzzed data

15
FileFuzz – Identify Inputs
+ Proprietary vs. open formats
▪ Vendor documents
▪ Wotsit.org
▪ Google
+ Binary files
▪ e.g. images, video, audio, office
documents, etc.
▪ Headers vs. data
+ Text files
▪ e.g. *.ini, *.inf, *.xml
▪ Name/value pairs
Identify target
Identify inputs
Execute fuzzed data

16
FileFuzz – Generate Fuzzed Data
+ Binary files
▪ Breadth (All or Range)
– Identify potential weaknesses
FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è.
D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è.
D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è.
▪ Depth
– Determine level of control/influence
D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è.
D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è.
D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è.
+ Text Files
▪ name = value
file_size = 10
file_size = AAAAA
file_size = AAAAAAAAAA
Identify target
Identify inputs
Execute fuzzed data

17
FileFuzz – Execute Fuzzed Data
+ Command line arguments
▪ Windows explorer
– Tools…Folder Options…File Types
Identify target
Identify inputs
Execute fuzzed data

18
FileFuzz – Monitor for Exceptions
+ Visual
▪ Error messages
▪ Blue screen
+ Event logs
▪ System logs
▪ Application logs
+ Debuggers
+ Return codes
+ Debugging API
Identify target
Identify inputs
Execute fuzzed data

19
FileFuzz – Monitor for Exceptions
+ Execute
▪ Automated and repeated
+ Monitor
▪ Library - libdasm
▪ Capture
– Memory location
– Registry values
– Exception type
+ Kill
▪ Set timeout
Identify target
Identify inputs
Execute fuzzed data
[*] "crash.exe" "C:Program FilesWordPerfect Office
12ProgramsUA120.exe" 2000 /qt c:fuzzast8.ast
[*] Access Violation
[*] Exception caught at 00403f06 mov eax,[eax+edi*4]
[*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac
[*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8

20
FileFuzz – Determine Exploitability
+ Skills
▪ Disassembly
▪ Debugging
+ Vulnerability types
▪ Stack overflows
▪ Heap overflows
▪ Integer handling
– Overflows
– Signedness
▪ DoS
– Out of bounds reads
– Infinite loops
– NULL pointer dereferences
▪ Logic errors
– Windows WMF vulnerability (MS06-001)
▪ Format strings
▪ Race conditions
Identify target
Identify inputs
Execute fuzzed data

21
FileFuzz – Demo (Breadth)

22
FileFuzz – Demo (Depth)

23
WebFuzz

24
WebFuzz – Identify Target
+ Server vs. Application
▪ Targeting applications can uncover server
vulnerabilities
+ Vendor history
+ High risk targets
▪ Popular applications
– Download site counters
– Google queries (johnny.ihackstuff.com)
▪ External applications
– Wikis
– Web mail
– Discussion boards
– Blogs
Identify target
Identify inputs
Execute fuzzed data

25
WebFuzz – Identify Inputs
+ Potential input vectors
▪ Method
▪ Request-URI
▪ Protocol
▪ Headers
▪ Cookies
▪ Post data
+ Reconnaissance
▪ Web forms
▪ Authentication
▪ Hidden fields
▪ Client side scripting
+ Manual Tools
▪ Proxies
▪ LiveHTTPHeaders
+ Automated Tools
▪ Spiders
Identify target
Identify inputs
Execute fuzzed data

26
WebFuzz – Generate Fuzzed Data
+ Intelligent fuzzing
▪ Start with legitimate web request
▪ Build template to mutate requests
+ Request format
+ Fuzz Template
Identify target
Identify inputs
Execute fuzzed data
[Method] [Request-URI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]
[Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; InfoPath.1)
Host: [Overflow]
Proxy-Connection: Keep-Alive

27
WebFuzz – Execute Fuzzed Data
+ Fuzz classes
▪ Directory traversal
▪ Format strings
▪ Overflow
▪ SQL Injection
▪ XSS Injection
Identify target
Identify inputs
Execute fuzzed data

28
WebFuzz – Monitor for Exceptions
+ Execute
+ Monitor
▪ HTML response
– Error messages
▪ Raw response
– User input
▪ Status codes
+ Kill
▪ Set timeout
Identify target
Identify inputs
Execute fuzzed data

29
WebFuzz – Determine Exploitability
+ Skills
▪ HTTP
▪ HTML
▪ Client side scripting
▪ SQL
+ Vulnerability types
▪ Denial of service
▪ Cross site scripting (XSS)
▪ SQL injection
▪ Directory traversal/Weak access control
▪ Weak authentication
▪ Weak session management (cookies)
▪ Buffer overflow
▪ Improperly supported HTTP methods
▪ Remote Command Execution
▪ Remote Code Injection
▪ Vulnerable Libraries
▪ HTTP Request Splitting
▪ Format Strings
Identify target
Identify inputs
Execute fuzzed data

30
WebFuzz - Demo

31
COMRaider

32
COMRaider – Identify Target
+ Client side attacks
+ Vendor history
+ High risk targets
▪ Popular applications
+ Identify ActiveX controls
▪ Choose Active DLL or OCX file directly
▪ Scan a directory for registered COM
servers
▪ Manually enter a GUID
▪ Choose from controls that should be
loadable in IE
Identify target
Identify inputs
Execute fuzzed data

33
COMRaider – Identify Inputs
+ Indentify fuzzable ActiveX controls
▪ Load and parse type library files (*.tlb) to
enumerate interfaces
or
▪ Create a live instance of the object to
query and load interface information
+ Scriptable ActiveX controls
▪ Accessible by web servers via Internet
Explorer
– Controls marked as Safe for Scripting or
implementing IObjectSafety
– Controls support IDispatch or IDispatchEx
interfaces
Identify target
Identify inputs
Execute fuzzed data

34
COMRaider – Generate Fuzzed Data
+ Examine each function and identify
variable types to determine fuzzing
scenarios
▪ Supported
– Ints
– Longs
– Doubles
– Strings
– Variants
▪ Not supported
– Singles
– Bytes
– Bools
+ Dynamically created Windows Script
Files (*.wsf)
Identify target
Identify inputs
Execute fuzzed data

35
COMRaider – Execute Fuzzed Data
+ Windows Script Host (wscript.exe) used
to execute *.wsf files
Identify target
Identify inputs
Execute fuzzed data

36
COMRaider – Monitor for Exceptions
+ Execute
+ Monitor
▪ Debugger - crashmon.dll
– Record handled/unhandled exceptions
▪ Window logger
– Record/clear error dialogs
– Record modal windows
+ Kill
▪ 8 second timeout
Identify target
Identify inputs
Execute fuzzed data

37
COMRaider – Determine Exploitability
+ Skills
▪ Disassembly
▪ Debugging
+ Distributed auditing
▪ Audit results uploaded to and
downloaded from central MySQL server
+ Exceptions logged
▪ Exception code
▪ SEH chain
▪ Call stack
▪ Register values
▪ Recent/future opcodes
▪ Argument dump
▪ Stack dump
Identify target
Identify inputs
Execute fuzzed data

38
COMRaider - Demo

39
Advanced Topics
+ Fuzzing Frameworks
+ Automated structure identification
+ Fuzzer tracking (code coverage)
+ Intelligent exception detection and processing

40
The Future of Fuzzing
+ Tools
▪ Frameworks
▪ Integrated test environments
▪ Commercial tools
+ People
▪ Wider audience
▪ Proactive fuzzing – the shift from offense to defense

41
Questions

msutton-fuzzing.ppt

More Related Content

Similar to msutton-fuzzing.ppt (20)

Recently uploaded (20)

msutton-fuzzing.ppt