Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability...
-
Upload
isabel-montgomery -
Category
Documents
-
view
217 -
download
0
Transcript of Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability...
![Page 1: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/1.jpg)
Contains VeriSign Confidential and Proprietary Information
FuzzingBrute Force Vulnerability Discovery
Michael SuttonDirector, iDefense Labs
![Page 2: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/2.jpg)
2 Contains VeriSign Confidential and Proprietary Information
Agenda
+ Background▪ What is fuzzing and who should do it?
+ Phases▪ What are the various stages when fuzzing a target?
+ Fuzzer classes▪ What can be fuzzed?
+ Automation▪ Making the theoretical practical
+ Tools/Demos▪ FileFuzz▪ WebFuzz▪ COMRaider
+ Advanced topics
+ The future or fuzzing
![Page 3: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/3.jpg)
3 Contains VeriSign Confidential and Proprietary Information
Vulnerability Discovery Methodologies – White Box
+ “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” ▪ Webopedia
+ Source code review▪ Static analysis▪ Pros
– Coverage
▪ Cons– Dependencies– Are we testing reality?
• Compiler issues• Implementation scenarios
![Page 4: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/4.jpg)
4 Contains VeriSign Confidential and Proprietary Information
Vulnerability Discovery Methodologies – Black Box
+ “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” ▪ Webopedia
+ Reverse engineering▪ Static analysis▪ Pros
– Complex vulnerabilities uncovered▪ Cons
– Time consuming– Deep knowledge required
+ Fuzzing▪ Dynamic analysis▪ Pros
– Relatively simple– Realistic
▪ Cons– Coverage– Complex vulnerabilities missed
![Page 5: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/5.jpg)
5 Contains VeriSign Confidential and Proprietary Information
What is Fuzzing?
+ “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct.
The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.”▪ Wikipedia
+ “Unexpected input causes unexpected results.”▪ Michael Sutton
![Page 6: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/6.jpg)
6 Contains VeriSign Confidential and Proprietary Information
Who should fuzz?
+ Security researchers▪ Reactive
+ QA Teams▪ Proactive
+ Developers▪ Proactive
Design
Development
Quality Assurance
Production Researchers
QA Teams
Developers
![Page 7: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/7.jpg)
7 Contains VeriSign Confidential and Proprietary Information
What can fuzzing do for you?
+ MS06-01 - Graphics Rendering Engine Vulnerability▪ aka “Windows WMF Vulnerability”▪ Appears to have been discovered through fuzzing▪ Evidence
– Google search on strings in initial exploit identified probable source file• JNK = c, Jun N, terminal, kitase• kitase kinase
– At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary
– Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability
AIF = apoptosis-inducing factor ANF = atrial natriuretic factorapaf = apoptotic protease-activating factor ARC = apoptosis repressor with caspaserecruitment domain BH = bcl-2 homology CASH = caspase homologue CD = cluster of differentiation DED = death effector domain DR = death receptor ERK = extracellular signal-regulated kinaseFADD = Fas-associated death domain proteinFasL = Fas ligandFLAME-1 = FADD-like antiapoptoticmolecule FLICE = FADD-homologous ICE/Ced-3-like protease FLIP = FLICE-inhibitory proteins I kappa B = inhibitor of NF kappa B I-FLICE = inhibitor of FLICE
IAP = inhibitor of apoptosis protein ICE = interleukin-1 beta-converting enzyme IGF = insulin-like growth factor JNK = c-Jun N-terminal kinaseMAPK = mitogen-activated protein kinase
MEK = MAPK/ERK kinaseMEKK = MEK kinaseNF kappa B = nuclear factor kappa B NGF = nerve growth factor PI-3 kinase = phosphatidylinositol-3 kinasePKB, PKC = protein kinase B and C RAIDD = RIP-associated ICH-1/Ced-3-homologous death domain protein RIP = receptor-interaction protein SAPK = stress-activated protein kinaseSEK = SAPK/ERK kinase TdT = terminal deoxynucleotidyltransferaseTNF = tumor necrosis factor TNFR = TNF receptor TRADD = TNFR-associated death domain protein TRAF = TNFR-associated factor TRAIL = TNF-related apoptosis-inducingligandTUNEL = TdT-mediated dUTP nick end-labeling zVAD.fmk = benzyloxycarbonyl-valine-alanine-aspartate fluoromethylketone
![Page 8: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/8.jpg)
8 Contains VeriSign Confidential and Proprietary Information
Phases
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 9: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/9.jpg)
9 Contains VeriSign Confidential and Proprietary Information
Fuzzer Classes
+ Command line arguments
+ Environment variables▪ Sharefuzz (www.immunitysec.com)
+ Web applications▪ WebFuzz (Demo)
+ File formats▪ FileFuzz (Demo – labs.idefense.com)
+ Network protocols▪ SPIKE (www.immunitysec.com)
+ Memory
+ COM Objects▪ COMRaider (Demo – labs.idefense.com)
+ Inter-Process Communication (IPC)
![Page 10: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/10.jpg)
10 Contains VeriSign Confidential and Proprietary Information
Automation
+ Test cases▪ Approach
– Pre-generated test cases
▪ Tools– PROTOS Test Suites
▪ Pro– Consistency
▪ Con– Static– Time consuming
![Page 11: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/11.jpg)
11 Contains VeriSign Confidential and Proprietary Information
Automation
+ Brute force fuzzing
▪ Approach– Raw byte manipulation
▪ Tool(s)– FileFuzz
▪ Pro– Simple
▪ Con– Inefficient– Fails to account for dependent values (e.g. checksums)
![Page 12: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/12.jpg)
12 Contains VeriSign Confidential and Proprietary Information
Automation
+ ‘Intelligent’ fuzzing▪ Approach
– Templates developed based on protocol definitions
▪ Tools– SPIKE– SPIKEfile
▪ Pro– Efficient
▪ Con– Time consuming
![Page 13: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/13.jpg)
13 Contains VeriSign Confidential and Proprietary Information
FileFuzz
![Page 14: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/14.jpg)
14 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Identify Target
+ Application vs. file type▪ One file type multiple targets
+ Vendor history▪ Past vulnerabilities
+ High risk targets▪ Default file handlers
– Windows Explorer– Windows Registry
▪ Commonly traded file types– Media files– Office documents– Configuration files
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 15: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/15.jpg)
15 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Identify Inputs
+ Proprietary vs. open formats▪ Vendor documents▪ Wotsit.org▪ Google
+ Binary files▪ e.g. images, video, audio, office
documents, etc.▪ Headers vs. data
+ Text files▪ e.g. *.ini, *.inf, *.xml▪ Name/value pairs
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 16: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/16.jpg)
16 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Generate Fuzzed Data
+ Binary files▪ Breadth (All or Range)
– Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ;
ÿÿÿÿ..Ûþ..Å...è.
D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è.
D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è.
▪ Depth– Determine level of control/influence
D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è.
D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è.
D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è.
+ Text Files▪ name = value
file_size = 10file_size = AAAAAfile_size = AAAAAAAAAA
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 17: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/17.jpg)
17 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Execute Fuzzed Data
+ Command line arguments▪ Windows explorer
– Tools…Folder Options…File Types
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 18: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/18.jpg)
18 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Monitor for Exceptions
+ Visual▪ Error messages▪ Blue screen
+ Event logs▪ System logs▪ Application logs
+ Debuggers
+ Return codes
+ Debugging API
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 19: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/19.jpg)
19 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Monitor for Exceptions
+ Execute▪ Automated and repeated
+ Monitor▪ Library - libdasm▪ Capture
– Memory location– Registry values– Exception type
+ Kill▪ Set timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
[*] "crash.exe" "C:\Program Files\WordPerfect Office 12\Programs\UA120.exe" 2000 /qt c:\fuzz\ast\8.ast
[*] Access Violation
[*] Exception caught at 00403f06 mov eax,[eax+edi*4]
[*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac
[*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8
![Page 20: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/20.jpg)
20 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Determine Exploitability
+ Skills▪ Disassembly▪ Debugging
+ Vulnerability types▪ Stack overflows▪ Heap overflows▪ Integer handling
– Overflows– Signedness
▪ DoS– Out of bounds reads– Infinite loops– NULL pointer dereferences
▪ Logic errors– Windows WMF vulnerability (MS06-001)
▪ Format strings▪ Race conditions
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 21: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/21.jpg)
21 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Demo (Breadth)
![Page 22: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/22.jpg)
22 Contains VeriSign Confidential and Proprietary Information
FileFuzz – Demo (Depth)
![Page 23: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/23.jpg)
23 Contains VeriSign Confidential and Proprietary Information
WebFuzz
![Page 24: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/24.jpg)
24 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Identify Target
+ Server vs. Application▪ Targeting applications can uncover
server vulnerabilities
+ Vendor history▪ Past vulnerabilities
+ High risk targets▪ Popular applications
– Download site counters– Google queries (johnny.ihackstuff.com)
▪ External applications– Wikis– Web mail– Discussion boards– Blogs
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 25: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/25.jpg)
25 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Identify Inputs
+ Potential input vectors▪ Method▪ Request-URI▪ Protocol▪ Headers▪ Cookies▪ Post data
+ Reconnaissance ▪ Web forms▪ Authentication▪ Hidden fields▪ Client side scripting
+ Manual Tools▪ Proxies▪ LiveHTTPHeaders
+ Automated Tools▪ Spiders
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 26: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/26.jpg)
26 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Generate Fuzzed Data
+ Intelligent fuzzing▪ Start with legitimate web request▪ Build template to mutate requests
+ Request format
+ Fuzz Template
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
[Method] [Request-URI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]
[Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: [Overflow]
Proxy-Connection: Keep-Alive
![Page 27: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/27.jpg)
27 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Execute Fuzzed Data
+ Fuzz classes▪ Directory traversal▪ Format strings▪ Overflow▪ SQL Injection▪ XSS Injection
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 28: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/28.jpg)
28 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Monitor for Exceptions
+ Execute▪ Automated and repeated
+ Monitor▪ HTML response
– Error messages
▪ Raw response– User input
▪ Status codes
+ Kill▪ Set timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 29: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/29.jpg)
29 Contains VeriSign Confidential and Proprietary Information
WebFuzz – Determine Exploitability
+ Skills▪ HTTP▪ HTML▪ Client side scripting▪ SQL
+ Vulnerability types▪ Denial of service▪ Cross site scripting (XSS)▪ SQL injection▪ Directory traversal/Weak access control▪ Weak authentication▪ Weak session management (cookies)▪ Buffer overflow▪ Improperly supported HTTP methods▪ Remote Command Execution▪ Remote Code Injection▪ Vulnerable Libraries▪ HTTP Request Splitting▪ Format Strings
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 30: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/30.jpg)
30 Contains VeriSign Confidential and Proprietary Information
WebFuzz - Demo
![Page 31: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/31.jpg)
31 Contains VeriSign Confidential and Proprietary Information
COMRaider
![Page 32: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/32.jpg)
32 Contains VeriSign Confidential and Proprietary Information
COMRaider – Identify Target
+ Client side attacks
+ Vendor history▪ Past vulnerabilities
+ High risk targets▪ Popular applications
+ Identify ActiveX controls▪ Choose Active DLL or OCX file directly▪ Scan a directory for registered COM
servers▪ Manually enter a GUID▪ Choose from controls that should be
loadable in IE
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 33: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/33.jpg)
33 Contains VeriSign Confidential and Proprietary Information
COMRaider – Identify Inputs
+ Indentify fuzzable ActiveX controls▪ Load and parse type library files (*.tlb) to
enumerate interfacesor
▪ Create a live instance of the object to query and load interface information
+ Scriptable ActiveX controls▪ Accessible by web servers via Internet
Explorer– Controls marked as Safe for Scripting or
implementing IObjectSafety – Controls support IDispatch or IDispatchEx
interfaces
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 34: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/34.jpg)
34 Contains VeriSign Confidential and Proprietary Information
COMRaider – Generate Fuzzed Data
+ Examine each function and identify variable types to determine fuzzing scenarios▪ Supported
– Ints– Longs– Doubles– Strings– Variants
▪ Not supported– Singles– Bytes– Bools
+ Dynamically created Windows Script Files (*.wsf)
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 35: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/35.jpg)
35 Contains VeriSign Confidential and Proprietary Information
COMRaider – Execute Fuzzed Data
+ Windows Script Host (wscript.exe) used to execute *.wsf files Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 36: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/36.jpg)
36 Contains VeriSign Confidential and Proprietary Information
COMRaider – Monitor for Exceptions
+ Execute▪ Automated and repeated
+ Monitor▪ Debugger - crashmon.dll
– Record handled/unhandled exceptions
▪ Window logger– Record/clear error dialogs– Record modal windows
+ Kill▪ 8 second timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 37: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/37.jpg)
37 Contains VeriSign Confidential and Proprietary Information
COMRaider – Determine Exploitability
+ Skills▪ Disassembly▪ Debugging
+ Distributed auditing▪ Audit results uploaded to and
downloaded from central MySQL server
+ Exceptions logged▪ Exception code▪ SEH chain▪ Call stack▪ Register values▪ Recent/future opcodes▪ Argument dump▪ Stack dump
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 38: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/38.jpg)
38 Contains VeriSign Confidential and Proprietary Information
COMRaider - Demo
![Page 39: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/39.jpg)
39 Contains VeriSign Confidential and Proprietary Information
Advanced Topics
+ Fuzzing Frameworks
+ Automated structure identification
+ Fuzzer tracking (code coverage)
+ Intelligent exception detection and processing
![Page 40: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/40.jpg)
40 Contains VeriSign Confidential and Proprietary Information
The Future of Fuzzing
+ Tools▪ Frameworks▪ Integrated test environments▪ Commercial tools
+ People▪ Wider audience▪ Proactive fuzzing – the shift from offense to defense
![Page 41: Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da15503460f94a8d9a9/html5/thumbnails/41.jpg)
41 Contains VeriSign Confidential and Proprietary Information
Questions