Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability...

Contains VeriSign Confidential and Proprietary Information

FuzzingBrute Force Vulnerability Discovery

Michael SuttonDirector, iDefense Labs

[email protected]

2 Contains VeriSign Confidential and Proprietary Information

Agenda

+ Background▪ What is fuzzing and who should do it?

+ Phases▪ What are the various stages when fuzzing a target?

+ Fuzzer classes▪ What can be fuzzed?

+ Automation▪ Making the theoretical practical

+ Tools/Demos▪ FileFuzz▪ WebFuzz▪ COMRaider

+ Advanced topics

+ The future or fuzzing


Vulnerability Discovery Methodologies – White Box

+ “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” ▪ Webopedia

+ Source code review▪ Static analysis▪ Pros

– Coverage

▪ Cons– Dependencies– Are we testing reality?

• Compiler issues• Implementation scenarios


Vulnerability Discovery Methodologies – Black Box

+ “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” ▪ Webopedia

+ Reverse engineering▪ Static analysis▪ Pros

– Complex vulnerabilities uncovered▪ Cons

– Time consuming– Deep knowledge required

+ Fuzzing▪ Dynamic analysis▪ Pros

– Relatively simple– Realistic

▪ Cons– Coverage– Complex vulnerabilities missed


What is Fuzzing?

+ “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct.

The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.”▪ Wikipedia

+ “Unexpected input causes unexpected results.”▪ Michael Sutton


Who should fuzz?

+ Security researchers▪ Reactive

+ QA Teams▪ Proactive

+ Developers▪ Proactive

Design

Development

Quality Assurance

Production Researchers

QA Teams

Developers


What can fuzzing do for you?

+ MS06-01 - Graphics Rendering Engine Vulnerability▪ aka “Windows WMF Vulnerability”▪ Appears to have been discovered through fuzzing▪ Evidence

– Google search on strings in initial exploit identified probable source file• JNK = c, Jun N, terminal, kitase• kitase kinase

– At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary

– Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability

AIF = apoptosis-inducing factor ANF = atrial natriuretic factorapaf = apoptotic protease-activating factor ARC = apoptosis repressor with caspaserecruitment domain BH = bcl-2 homology CASH = caspase homologue CD = cluster of differentiation DED = death effector domain DR = death receptor ERK = extracellular signal-regulated kinaseFADD = Fas-associated death domain proteinFasL = Fas ligandFLAME-1 = FADD-like antiapoptoticmolecule FLICE = FADD-homologous ICE/Ced-3-like protease FLIP = FLICE-inhibitory proteins I kappa B = inhibitor of NF kappa B I-FLICE = inhibitor of FLICE

IAP = inhibitor of apoptosis protein ICE = interleukin-1 beta-converting enzyme IGF = insulin-like growth factor JNK = c-Jun N-terminal kinaseMAPK = mitogen-activated protein kinase

MEK = MAPK/ERK kinaseMEKK = MEK kinaseNF kappa B = nuclear factor kappa B NGF = nerve growth factor PI-3 kinase = phosphatidylinositol-3 kinasePKB, PKC = protein kinase B and C RAIDD = RIP-associated ICH-1/Ced-3-homologous death domain protein RIP = receptor-interaction protein SAPK = stress-activated protein kinaseSEK = SAPK/ERK kinase TdT = terminal deoxynucleotidyltransferaseTNF = tumor necrosis factor TNFR = TNF receptor TRADD = TNFR-associated death domain protein TRAF = TNFR-associated factor TRAIL = TNF-related apoptosis-inducingligandTUNEL = TdT-mediated dUTP nick end-labeling zVAD.fmk = benzyloxycarbonyl-valine-alanine-aspartate fluoromethylketone


Phases

Identify target

Identify inputs

Generate fuzzed data

Execute fuzzed data

Monitor for exceptions

Determine exploitability


Fuzzer Classes

+ Command line arguments

+ Environment variables▪ Sharefuzz (www.immunitysec.com)

+ Web applications▪ WebFuzz (Demo)

+ File formats▪ FileFuzz (Demo – labs.idefense.com)

+ Network protocols▪ SPIKE (www.immunitysec.com)

+ Memory

+ COM Objects▪ COMRaider (Demo – labs.idefense.com)

+ Inter-Process Communication (IPC)


Automation

+ Test cases▪ Approach

– Pre-generated test cases

▪ Tools– PROTOS Test Suites

▪ Pro– Consistency

▪ Con– Static– Time consuming


Automation

+ Brute force fuzzing

▪ Approach– Raw byte manipulation

▪ Tool(s)– FileFuzz

▪ Pro– Simple

▪ Con– Inefficient– Fails to account for dependent values (e.g. checksums)


Automation

+ ‘Intelligent’ fuzzing▪ Approach

– Templates developed based on protocol definitions

▪ Tools– SPIKE– SPIKEfile

▪ Pro– Efficient

▪ Con– Time consuming


FileFuzz


FileFuzz – Identify Target

+ Application vs. file type▪ One file type multiple targets

+ Vendor history▪ Past vulnerabilities

+ High risk targets▪ Default file handlers

– Windows Explorer– Windows Registry

▪ Commonly traded file types– Media files– Office documents– Configuration files

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Identify Inputs

+ Proprietary vs. open formats▪ Vendor documents▪ Wotsit.org▪ Google

+ Binary files▪ e.g. images, video, audio, office

documents, etc.▪ Headers vs. data

+ Text files▪ e.g. *.ini, *.inf, *.xml▪ Name/value pairs

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Generate Fuzzed Data

+ Binary files▪ Breadth (All or Range)

– Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ;

ÿÿÿÿ..Ûþ..Å...è.

D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è.

D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è.

▪ Depth– Determine level of control/influence

D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è.

D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è.

D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è.

+ Text Files▪ name = value

file_size = 10file_size = AAAAAfile_size = AAAAAAAAAA

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Execute Fuzzed Data

+ Command line arguments▪ Windows explorer

– Tools…Folder Options…File Types

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Monitor for Exceptions

+ Visual▪ Error messages▪ Blue screen

+ Event logs▪ System logs▪ Application logs

+ Debuggers

+ Return codes

+ Debugging API

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Monitor for Exceptions

+ Execute▪ Automated and repeated

+ Monitor▪ Library - libdasm▪ Capture

– Memory location– Registry values– Exception type

+ Kill▪ Set timeout

Identify target

Identify inputs


Execute fuzzed data



[*] "crash.exe" "C:\Program Files\WordPerfect Office 12\Programs\UA120.exe" 2000 /qt c:\fuzz\ast\8.ast

[*] Access Violation

[*] Exception caught at 00403f06 mov eax,[eax+edi*4]

[*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac

[*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8


FileFuzz – Determine Exploitability

+ Skills▪ Disassembly▪ Debugging

+ Vulnerability types▪ Stack overflows▪ Heap overflows▪ Integer handling

– Overflows– Signedness

▪ DoS– Out of bounds reads– Infinite loops– NULL pointer dereferences

▪ Logic errors– Windows WMF vulnerability (MS06-001)

▪ Format strings▪ Race conditions

Identify target

Identify inputs


Execute fuzzed data




FileFuzz – Demo (Breadth)


FileFuzz – Demo (Depth)


WebFuzz


WebFuzz – Identify Target

+ Server vs. Application▪ Targeting applications can uncover

server vulnerabilities


+ High risk targets▪ Popular applications

– Download site counters– Google queries (johnny.ihackstuff.com)

▪ External applications– Wikis– Web mail– Discussion boards– Blogs

Identify target

Identify inputs


Execute fuzzed data




WebFuzz – Identify Inputs

+ Potential input vectors▪ Method▪ Request-URI▪ Protocol▪ Headers▪ Cookies▪ Post data

+ Reconnaissance ▪ Web forms▪ Authentication▪ Hidden fields▪ Client side scripting

+ Manual Tools▪ Proxies▪ LiveHTTPHeaders

+ Automated Tools▪ Spiders

Identify target

Identify inputs


Execute fuzzed data




WebFuzz – Generate Fuzzed Data

+ Intelligent fuzzing▪ Start with legitimate web request▪ Build template to mutate requests

+ Request format

+ Fuzz Template

Identify target

Identify inputs


Execute fuzzed data



[Method] [Request-URI] HTTP/[Major Version].[Minor Version]

[HTTP Headers]

[Post Data]

[Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1

Accept: */*

Accept-Language: en-us

Pragma: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)

Host: [Overflow]

Proxy-Connection: Keep-Alive


WebFuzz – Execute Fuzzed Data

+ Fuzz classes▪ Directory traversal▪ Format strings▪ Overflow▪ SQL Injection▪ XSS Injection

Identify target

Identify inputs


Execute fuzzed data




WebFuzz – Monitor for Exceptions


+ Monitor▪ HTML response

– Error messages

▪ Raw response– User input

▪ Status codes

+ Kill▪ Set timeout

Identify target

Identify inputs


Execute fuzzed data




WebFuzz – Determine Exploitability

+ Skills▪ HTTP▪ HTML▪ Client side scripting▪ SQL

+ Vulnerability types▪ Denial of service▪ Cross site scripting (XSS)▪ SQL injection▪ Directory traversal/Weak access control▪ Weak authentication▪ Weak session management (cookies)▪ Buffer overflow▪ Improperly supported HTTP methods▪ Remote Command Execution▪ Remote Code Injection▪ Vulnerable Libraries▪ HTTP Request Splitting▪ Format Strings

Identify target

Identify inputs


Execute fuzzed data




WebFuzz - Demo


COMRaider


COMRaider – Identify Target

+ Client side attacks


+ High risk targets▪ Popular applications

+ Identify ActiveX controls▪ Choose Active DLL or OCX file directly▪ Scan a directory for registered COM

servers▪ Manually enter a GUID▪ Choose from controls that should be

loadable in IE

Identify target

Identify inputs


Execute fuzzed data




COMRaider – Identify Inputs

+ Indentify fuzzable ActiveX controls▪ Load and parse type library files (*.tlb) to

enumerate interfacesor

▪ Create a live instance of the object to query and load interface information

+ Scriptable ActiveX controls▪ Accessible by web servers via Internet

Explorer– Controls marked as Safe for Scripting or

implementing IObjectSafety – Controls support IDispatch or IDispatchEx

interfaces

Identify target

Identify inputs


Execute fuzzed data




COMRaider – Generate Fuzzed Data

+ Examine each function and identify variable types to determine fuzzing scenarios▪ Supported

– Ints– Longs– Doubles– Strings– Variants

▪ Not supported– Singles– Bytes– Bools

+ Dynamically created Windows Script Files (*.wsf)

Identify target

Identify inputs


Execute fuzzed data




COMRaider – Execute Fuzzed Data

+ Windows Script Host (wscript.exe) used to execute *.wsf files Identify target

Identify inputs


Execute fuzzed data




COMRaider – Monitor for Exceptions


+ Monitor▪ Debugger - crashmon.dll

– Record handled/unhandled exceptions

▪ Window logger– Record/clear error dialogs– Record modal windows

+ Kill▪ 8 second timeout

Identify target

Identify inputs


Execute fuzzed data




COMRaider – Determine Exploitability

+ Skills▪ Disassembly▪ Debugging

+ Distributed auditing▪ Audit results uploaded to and

downloaded from central MySQL server

+ Exceptions logged▪ Exception code▪ SEH chain▪ Call stack▪ Register values▪ Recent/future opcodes▪ Argument dump▪ Stack dump

Identify target

Identify inputs


Execute fuzzed data




COMRaider - Demo


Advanced Topics

+ Fuzzing Frameworks

+ Automated structure identification

+ Fuzzer tracking (code coverage)

+ Intelligent exception detection and processing


The Future of Fuzzing

+ Tools▪ Frameworks▪ Integrated test environments▪ Commercial tools

+ People▪ Wider audience▪ Proactive fuzzing – the shift from offense to defense


Questions

Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability...

Documents

Transcript of Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability...