1 / 41

Fuzzing Brute Force Vulnerability Discovery

Fuzzing Brute Force Vulnerability Discovery. Michael Sutton Director, iDefense Labs msutton@idefense.com. Agenda. Background What is fuzzing and who should do it? Phases What are the various stages when fuzzing a target? Fuzzer classes What can be fuzzed? Automation

gagan
Download Presentation

Fuzzing Brute Force Vulnerability Discovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FuzzingBrute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com Contains VeriSign Confidential and Proprietary Information

  2. Agenda • Background • What is fuzzing and who should do it? • Phases • What are the various stages when fuzzing a target? • Fuzzer classes • What can be fuzzed? • Automation • Making the theoretical practical • Tools/Demos • FileFuzz • WebFuzz • COMRaider • Advanced topics • The future or fuzzing Contains VeriSign Confidential and Proprietary Information

  3. Vulnerability Discovery Methodologies – White Box • “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” • Webopedia • Source code review • Static analysis • Pros • Coverage • Cons • Dependencies • Are we testing reality? • Compiler issues • Implementation scenarios Contains VeriSign Confidential and Proprietary Information

  4. Vulnerability Discovery Methodologies – Black Box • “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” • Webopedia • Reverse engineering • Static analysis • Pros • Complex vulnerabilities uncovered • Cons • Time consuming • Deep knowledge required • Fuzzing • Dynamic analysis • Pros • Relatively simple • Realistic • Cons • Coverage • Complex vulnerabilities missed Contains VeriSign Confidential and Proprietary Information

  5. What is Fuzzing? • “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.” • Wikipedia • “Unexpected input causes unexpected results.” • Michael Sutton Contains VeriSign Confidential and Proprietary Information

  6. Researchers QA Teams Developers Production Quality Assurance Design Development Who should fuzz? • Security researchers • Reactive • QA Teams • Proactive • Developers • Proactive Contains VeriSign Confidential and Proprietary Information

  7. What can fuzzing do for you? • MS06-01 - Graphics Rendering Engine Vulnerability • aka “Windows WMF Vulnerability” • Appears to have been discovered through fuzzing • Evidence • Google search on strings in initial exploit identified probable source file • JNK = c, Jun N, terminal, kitase • kitase  kinase • At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary • Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability Contains VeriSign Confidential and Proprietary Information

  8. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability Phases Contains VeriSign Confidential and Proprietary Information

  9. Fuzzer Classes • Command line arguments • Environment variables • Sharefuzz (www.immunitysec.com) • Web applications • WebFuzz (Demo) • File formats • FileFuzz (Demo – labs.idefense.com) • Network protocols • SPIKE (www.immunitysec.com) • Memory • COM Objects • COMRaider (Demo – labs.idefense.com) • Inter-Process Communication (IPC) Contains VeriSign Confidential and Proprietary Information

  10. Automation • Test cases • Approach • Pre-generated test cases • Tools • PROTOS Test Suites • Pro • Consistency • Con • Static • Time consuming Contains VeriSign Confidential and Proprietary Information

  11. Automation • Brute force fuzzing • Approach • Raw byte manipulation • Tool(s) • FileFuzz • Pro • Simple • Con • Inefficient • Fails to account for dependent values (e.g. checksums) Contains VeriSign Confidential and Proprietary Information

  12. Automation • ‘Intelligent’ fuzzing • Approach • Templates developed based on protocol definitions • Tools • SPIKE • SPIKEfile • Pro • Efficient • Con • Time consuming Contains VeriSign Confidential and Proprietary Information

  13. FileFuzz Contains VeriSign Confidential and Proprietary Information

  14. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Identify Target • Application vs. file type • One file type  multiple targets • Vendor history • Past vulnerabilities • High risk targets • Default file handlers • Windows Explorer • Windows Registry • Commonly traded file types • Media files • Office documents • Configuration files Contains VeriSign Confidential and Proprietary Information

  15. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Identify Inputs • Proprietary vs. open formats • Vendor documents • Wotsit.org • Google • Binary files • e.g. images, video, audio, office documents, etc. • Headers vs. data • Text files • e.g. *.ini, *.inf, *.xml • Name/value pairs Contains VeriSign Confidential and Proprietary Information

  16. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Generate Fuzzed Data • Binary files • Breadth (All or Range) • Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è. D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è. D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è. • Depth • Determine level of control/influence D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è. D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è. D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è. • Text Files • name = value file_size = 10 file_size = AAAAA file_size = AAAAAAAAAA Contains VeriSign Confidential and Proprietary Information

  17. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Execute Fuzzed Data • Command line arguments • Windows explorer • Tools…Folder Options…File Types Contains VeriSign Confidential and Proprietary Information

  18. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Monitor for Exceptions • Visual • Error messages • Blue screen • Event logs • System logs • Application logs • Debuggers • Return codes • Debugging API Contains VeriSign Confidential and Proprietary Information

  19. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Monitor for Exceptions • Execute • Automated and repeated • Monitor • Library - libdasm • Capture • Memory location • Registry values • Exception type • Kill • Set timeout • [*] "crash.exe" "C:\Program Files\WordPerfect Office 12\Programs\UA120.exe" 2000 /qt c:\fuzz\ast\8.ast • [*] Access Violation • [*] Exception caught at 00403f06 mov eax,[eax+edi*4] • [*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac • [*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8 Contains VeriSign Confidential and Proprietary Information

  20. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability FileFuzz – Determine Exploitability • Skills • Disassembly • Debugging • Vulnerability types • Stack overflows • Heap overflows • Integer handling • Overflows • Signedness • DoS • Out of bounds reads • Infinite loops • NULL pointer dereferences • Logic errors • Windows WMF vulnerability (MS06-001) • Format strings • Race conditions Contains VeriSign Confidential and Proprietary Information

  21. FileFuzz – Demo (Breadth) Contains VeriSign Confidential and Proprietary Information

  22. FileFuzz – Demo (Depth) Contains VeriSign Confidential and Proprietary Information

  23. WebFuzz Contains VeriSign Confidential and Proprietary Information

  24. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Identify Target • Server vs. Application • Targeting applications can uncover server vulnerabilities • Vendor history • Past vulnerabilities • High risk targets • Popular applications • Download site counters • Google queries (johnny.ihackstuff.com) • External applications • Wikis • Web mail • Discussion boards • Blogs Contains VeriSign Confidential and Proprietary Information

  25. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Identify Inputs • Potential input vectors • Method • Request-URI • Protocol • Headers • Cookies • Post data • Reconnaissance • Web forms • Authentication • Hidden fields • Client side scripting • Manual Tools • Proxies • LiveHTTPHeaders • Automated Tools • Spiders Contains VeriSign Confidential and Proprietary Information

  26. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Generate Fuzzed Data • Intelligent fuzzing • Start with legitimate web request • Build template to mutate requests • Request format • Fuzz Template [Method] [Request-URI] HTTP/[Major Version].[Minor Version] [HTTP Headers] [Post Data] [Methods]/[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: [Overflow] Proxy-Connection: Keep-Alive Contains VeriSign Confidential and Proprietary Information

  27. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Execute Fuzzed Data • Fuzz classes • Directory traversal • Format strings • Overflow • SQL Injection • XSS Injection Contains VeriSign Confidential and Proprietary Information

  28. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Monitor for Exceptions • Execute • Automated and repeated • Monitor • HTML response • Error messages • Raw response • User input • Status codes • Kill • Set timeout Contains VeriSign Confidential and Proprietary Information

  29. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability WebFuzz – Determine Exploitability • Skills • HTTP • HTML • Client side scripting • SQL • Vulnerability types • Denial of service • Cross site scripting (XSS) • SQL injection • Directory traversal/Weak access control • Weak authentication • Weak session management (cookies) • Buffer overflow • Improperly supported HTTP methods • Remote Command Execution • Remote Code Injection • Vulnerable Libraries • HTTP Request Splitting • Format Strings Contains VeriSign Confidential and Proprietary Information

  30. WebFuzz - Demo Contains VeriSign Confidential and Proprietary Information

  31. COMRaider Contains VeriSign Confidential and Proprietary Information

  32. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Identify Target • Client side attacks • Vendor history • Past vulnerabilities • High risk targets • Popular applications • Identify ActiveX controls • Choose Active DLL or OCX file directly • Scan a directory for registered COM servers • Manually enter a GUID • Choose from controls that should be loadable in IE Contains VeriSign Confidential and Proprietary Information

  33. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Identify Inputs • Indentify fuzzable ActiveX controls • Load and parse type library files (*.tlb) to enumerate interfaces or • Create a live instance of the object to query and load interface information • Scriptable ActiveX controls • Accessible by web servers via Internet Explorer • Controls marked as Safe for Scripting or implementing IObjectSafety • Controls support IDispatch or IDispatchEx interfaces Contains VeriSign Confidential and Proprietary Information

  34. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Generate Fuzzed Data • Examine each function and identify variable types to determine fuzzing scenarios • Supported • Ints • Longs • Doubles • Strings • Variants • Not supported • Singles • Bytes • Bools • Dynamically created Windows Script Files (*.wsf) Contains VeriSign Confidential and Proprietary Information

  35. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Execute Fuzzed Data • Windows Script Host (wscript.exe) used to execute *.wsf files Contains VeriSign Confidential and Proprietary Information

  36. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Monitor for Exceptions • Execute • Automated and repeated • Monitor • Debugger - crashmon.dll • Record handled/unhandled exceptions • Window logger • Record/clear error dialogs • Record modal windows • Kill • 8 second timeout Contains VeriSign Confidential and Proprietary Information

  37. Identify target Generate fuzzed data Execute fuzzed data Monitor for exceptions Identify inputs Determine exploitability COMRaider – Determine Exploitability • Skills • Disassembly • Debugging • Distributed auditing • Audit results uploaded to and downloaded from central MySQL server • Exceptions logged • Exception code • SEH chain • Call stack • Register values • Recent/future opcodes • Argument dump • Stack dump Contains VeriSign Confidential and Proprietary Information

  38. COMRaider - Demo Contains VeriSign Confidential and Proprietary Information

  39. Advanced Topics • Fuzzing Frameworks • Automated structure identification • Fuzzer tracking (code coverage) • Intelligent exception detection and processing Contains VeriSign Confidential and Proprietary Information

  40. The Future of Fuzzing • Tools • Frameworks • Integrated test environments • Commercial tools • People • Wider audience • Proactive fuzzing – the shift from offense to defense Contains VeriSign Confidential and Proprietary Information

  41. Questions Contains VeriSign Confidential and Proprietary Information

More Related