Welcome to RSA Dark Arts Village 2022
This talk is aimed at providing hands on details on how to fuzz open source softwares on linux OS with AFL.
Zip File password: infected
user name: kali
Current: Principal Researcher @ Sophos, Bangalore, India
Past: Senior Security Researcher @ McAfee, Bangalore,India
Past: Security Researcher @ Symantec, Pune, India
What I do?
Official Blogs: https://news.sophos.com/en-us/author/hardik-shah/
Past Blogs: https://www.mcafee.com/blogs/author/hardik-shah/
Fuzzing is the process of automated bug finding. A fuzzer will generate or provide crafted input to a program and will monitor its behaviour. if its crashes then test case can be saved to further analysis and reproduction.
Monitors program execution using compile time or runtime instrumentation and can generate new input files based on the paths taken.
Very useful and successful in finding bugs.
pulling jpeg out of thin air: https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
$ mkdir in_dir $ echo 'hello' >in_dir/hello $ ./afl-fuzz -i in_dir -o out_dir ./jpeg-9a/djpeg
Consider following code:
What it looks like in IDA:
Flips a bit i.e. 1 becomes 0, 0 becomes 1 - this can be done in steps of 1⁄1,2⁄1,4⁄1,8⁄8 ....32⁄8 (same strategy will be used for byteflip as well)
Flips a byte - this can be done in steps of 1⁄1,2⁄1,4⁄1,8⁄8 ....32⁄8
Random arithmetic like addition/substraction of random values
Random strategy - anythings from bit/bytes/interest/splice/addition/subtraction
User provided dictionary or auto discovered tokens.
Replace content in original file with interesting values like: 0xff,0x7f etc – 8⁄8,16⁄8..
Splits and combine two or more files to get a new file.
Why do we need to Minimize input corpus?
afl-cmin –i input –o mininput -- ./program @@
We found a crash by running fuzzer – now what?
$ git clone https://github.com/google/AFL.git $ cd AFL $ make $ cd llvm_mode $ make $ cd .. $ make install
This will install various compiler wrappers and utilities like:
you can install it by typing following command:
$ sudo apt install clang llvm
santizers helps in finding bugs at the eary stages of program execution.
There are various types of sanitizers which can be enabled at compile time by passing required options. you need to add following flags at compile time if you want to enable any of the sanitizers below:
1. ASAN (-fsanitize=address) 2. MSAN (-fsanitize=memory) 3. UBSAN (-fsanitize=undefined) 4. TSAN (-fsanitize=thread)
AFL has various environment variables like AFL_HARDEN, AFL_USE_ASAN and AFL_USE_MSAN etc. which can be used to enable support for this sanitizers as well as to do various fuzzing related customization. check here: https://github.com/mirrorer/afl/blob/master/docs/env_variables.txt
Goal: learning how to fuzz a program with AFL.
Lets download it first:
$ git clone https://github.com/hardik05/Damn_Vulnerable_C_Program.git
Let's compile it using afl-gcc/afl-clang(when nothing works, use afl-gcc,afl-g++) :
$ afl-gcc -fsanitize=address,undefined -ggdb -O0 imgRead.c -o imgRead_afl
Generate some seed corpus
$ mkdir in $ echo "IMG" > in/1.img
$ afl-fuzz -i in -o out -m none -- ./imgRead_afl @@
you should see a screen like below:
It has various status messages.
not all are needed. you can read more about them here: https://github.com/google/AFL/blob/master/docs/status_screen.txt
Get the source code of tcpdump and libpcap.
git clone https://github.com/the-tcpdump-group/tcpdump.git cd tcpdump git clone https://github.com/the-tcpdump-group/libpcap.git cd libpcap
CC=afl-gcc CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure sudo make && make install
it will complain about some missing dependencies, run following commands:
sudo apt install flex bison
your compilation should be succssfull.
use afl-cmin, run following command:
afl-cmin –i tests –o mincorpus –m none -- ./tcpdump –vv –ee –nnr @@
You should see a screenshot something like below:
afl-fuzz –i mincorpus –o fuzzoutput –m none -- ./tcpdump –vv –ee –nnr @@
you should see something like this:
✅ Always report to vendor first.generally vendor have email@example.com email id. you can also check their website for security contact.
✅ Dont disclose anything until vendor releases the patch.
✅ Vendors may reward you with bug bounty for your work!
My youtube channel on fuzzing: Click here
Thanks everyone, hope you have enjoyed this workshop as much as I have enjoyed delivering it and creating contents and various excericses for it.