Show me your Kung Fuzz

Show me your Kung FuzzNo Con Name 2011@virtualminds_es / irodriguez at virtualminds.es1Who is this guy?Iaki RodrguezCISSP, CEHSecurity Manager at Ackstorm S.L.

2About fuzzingAttempting to cause a program or network to fail by feeding it randomly (or not so) generated data.Generate a lot of crap to crash an application.3TargetsUnderstand the most basic concepts of fuzzingComplexity vs KnoweldgeNot your bussinesReal vulnerabilitiesCommon issues4Why we FuzzWe dont trust our softwareWe dont trust our providers software$$$ or Corporate Image5SDL (security development lifecycle)

6THE lab (I)Virtual ServersLot of memoryFast hard disk (SSD)Snapshots helps to revert

7THE lab (II)Physical ServersOld HardwareMore is betterYou lost snapshotsBut you have deepfreeze and fs snapshots

8SoftwareUnpackers (upx, aspack, *lordpe, *importRec, PeID )(Un)Compressors (7zip)Sysinternal suiteApi MonitorInterpreted Languages (perl y python)Debuggers (gdb, radare, Immunity Debugger, Olly, )Decompilers (Ida Free, Ida Pro $$$ y the other)

9Some FUZZERSNameFileNetworkActiveXLibrariesDriversWebFilefuzzXPeachXXXXSulley?XFuzzledXSpikeXSpikeFileXw3afXzufXAxManXComRaiderX10processEn la fase de Modelado, una vez que ya tenemos la aplicacin seleccionada, empieza el trabajo duro. Primero se tendr que hacer un estudio de la aplicacin, detectando sus entradas y el tipo de aplicacin a la que nos enfrentamos. Segundo, seleccionaremos la herramienta que ms nos convenga. Por ltimo, modelaremos los inputs para que las herramientas produzcan los datos necesarios y las pruebas. Opcionalmente, se tomarn unas muestras de aquellos inputs que vamos a fuzzear.

Para terminar, determinamos qu hacer con los descubrimientos. Lo ms bsico es reportarlo al fabricante con nuestras pruebas, el "test case", la salida del fuzzer para reproducir el problema y que ellos se las arreglen. Nosotros hemos puesto nuestro granito de arena para hacer un mundo mejor. Pero podemos ir ms all y plantearnos cmo explotarlo. Y de aqu dar otro paso y hacer la firma para nuestros sistemas de deteccin de intrusos. O vender el exploit a travs de uno de los proveedores habituales. En cualquier caso, os recomendara tramitar el fallo de la forma ms responsable posible.11Choosing the application12inventoryCMDBNmap (-sV)Ocs InventoryRepositories

13Automating inventoryDatabaseCPE NormalizationStats (use, vulnerabilities, )Information from outside (security lists, osvdb, nvd, )Scripting is your friend14Clasification criteriaQualitativeVulnerabilities impactComplexityWidely usedPersonal preferences

CuantitativeNumber of installationsNumber of known vulnerabilitiesAsset valueVisibility (local, remote)Number of threats (none, few, many)

15modeling16Fuzzing ModelsMutation (Dumb fuzzing)Generation (Smart fuzzing)17Mutation model18Generation model19Generation model

20Know your enemyWhat kind of application is?Network ServicesWeb ApplicationsLibrariesActiveXWhat kind of inputs?Command LineFilesNetworkFormsEnvironment VariablesUrl

21Files (I)If we are lucky, previously documentedwww.wotsit.orgwww.fileformat.info010 Editor / Hexedit / Others.If not documentedThrough valid files repositoryGoogle ext:svgBing type:svgReverse engineering

22Files (II)Some interesting APIsCreateFile / CloseHandle / open / closeLseekWriteFile / ReadFile / write / read

23Files (III)

eax=00000000cmp word ptr [eax+edx*2],0ffffhNetwork services (I)Open protocols (RFC)Sniffing traffic between client and serverWhat about clients?From pcap to model

25Network services (II)

26DEMO I Network ServicesACTFAX FTP SERVERVideo: http://www.youtube.com/watch?v=yOKVIgZso4MPythonSulleyPaimeiLibraries (I)Probably well documentedHidden apiExported symbolsArguments guessing

28Libraries (II)

29DEMO II LIBRARYASPEMAILVideo: http://www.youtube.com/watch?v=7DxXiChy_OcPerlVbscriptDo it yourselfWindbgActive x (I)Probably well documentedInternet Explorer onlyActiveX InterfacesAxMan / Comraider

31

Active X (II)

32Web applications (I) Lot of documentationNot only url (Headers, cookies, methods,)Ajax / Javascript / ApptestingOWASP

33Web applications (II)

34Common problemsEncryptionChecksumUnknown format/protocol/whateverRelationsConditionsCode coverage

35Testing36fuzzing stages37AND now what?Responsible disclosureSell it ExploitPatch (binary or source)Full disclosureIDS signature38ImprovementsParallel processingModified applicationIn-memory fuzzingReversing skills neededCode coverageIn memory fuzzingsub_0xC0FF33Input interactionEnd subBreakpointTake snapshotChange inputException?Restore snapshotJump to snapshotJump to snapshot40QUESTIONS?

Thanks (ackstorm team)

FerJuan CarlosJoan CarlesMeJoan PauXaviJordiGonzaloToniVictor