fuzzing your favorite interpreter -...
TRANSCRIPT
Fuzzing Your Favorite InterpreterEMMANUEL LAW
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Background
• PrincipalSecurityConsultant@AuraInfoSec• Pentesting forliving• @libnex• FoundsomePHPbugs…
Bugs bug bounty
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing Interpreters
BuildFromScratch Off-The-Shelf
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Writing a Custom Fuzzer from Scratch
• CustomStrategies• FindUniq Bugs
Pros
Cons
• Time+Effort• Portabilitytootherlanguages
Off The Shelf
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
• Speed• PoweroftheOpenSourceCommunity
Pros
Cons
• Lesscustomization• Competition....lotsofthem
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing Interpreters
BuildFromScratch Off-The-Shelf
VS
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AttackPlan Fuzzing Triage RCA
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Battle Plan
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
What are we fuzzing?
• AttackSurfaceArea
ParserRuntime
Unserialize FilesParser
ZendEngine
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan : Attacking Files Parsers
• Examples:Zip,Images,Phar,PYZ• Taketheroadlesstravelled• Patch-outChecksumverification
ZIPProcessor
ValidateChecksum
ProcessZIP
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan: Fuzzing Corpus
Mutator Fuzzer
12345678
31625551
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan: Fuzzing Corpus
• MoreUnique=>Betterchanceoffindingacrash• Exercisesasmanycodepathaspossible• HarnessRegressionTestcases:
• Testedgecases• Don’tforgettestcasesfromsisterprojects
Fuzzing
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
ChoosingaFuzzer
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Choosing a Fuzzer
• 101Fuzzers outthere• Thingstoconsider:
• Speed• Popularity• Easyofuse• Constrains:Sourcecode?• Buzzwords:EvolutionaryFuzzing,In-memory
fuzzing
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing: American Fuzzy Lop (AFL)
• GoldStandard• EVERYONEisusingthisL• Feedbackdriven
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Feedback Driven/Evolutionary/Genetic Fuzzing
12345678ABCD
1X345678ABCD
12345618ABCD
1X345678AZCD
1X345670ABCD
1X3456780BCD
1X345678AB#D
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Radamsa
• GeneralPurposeFuzzer• Language/Dataagnostic• Semi-Smart• Extremelyeasytouse
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Other Fuzzers
• honggfuzz• Choronzon• zzuf• Somanymanymore..
DifferentFuzzers willfinddifferentbugs
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing: Getting better Mileage
• AddressSanitizer(akaASAN):• Compileintoyourinterpreter• Memoryerrordetector• Minimaloverhead
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Soyouhavefoundsomecrashes…..
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage
• Purpose• Groupingofsimilarcrashes• Prioritizeyourcrashes
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage• ComesfreewithAddressSanitizer
StackTrace
VisualMem-map
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage: Exploitability
• !exploitable
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage: Test case minization
• Fuzzdiff,Afl-minetc• Findtheminimalchangesthatcausesthecrash
12345678ABCD
OriginalFile
1X3XXX78AXCX
MutatedFile
Minization12345X78ABCX
Minized File
Root Cause Analysis
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis
• Tryingthefindtheanswers:• WhatiscausingtheCrash• Isitexploitable
• Verytediousandtimeconsuming• Rememberyouarecompetingonspeed..
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis
• IspendalotoftimeinGDB• PEDA*isyourfriend
*Python Exploit Development Assistance
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Registers
ASM
Stack
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis• Really?GDB??pffft..*scorn*
Voltron
Reverse Debugging
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Theartof
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis: Reverse Debugging
• Debuggingtendstobeverylinear
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis: Reverse Debugging
• Record commandinGDB• Provides:
• ReverseStep• ReverseNext• ReverseContinue
• ReverttodeterministicMemoryState
LetsMakeFuzzing Great Again
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
@libnex