Corpus distillation & fuzzing - Nordic Testing...
Transcript of Corpus distillation & fuzzing - Nordic Testing...
![Page 1: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/1.jpg)
Corpus distillation & fuzzing
Jaanus KääpClarified Security
![Page 2: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/2.jpg)
Who is this guy
● Jaanus Kääp
● Working at Clarified Security
– Vulnerability testing, research, trainings, cyber excercises
● Developer background (web and native)
● Multiple bug bounties:
– Facebook, Adobe, Google, MS etc
![Page 3: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/3.jpg)
Why this topic
● CVE-2015-6696 Adobe Reader
● CVE-2015-6698 Adobe Reader
● CVE-2015-6978 Apple Safari
● CVE-2016-0936 Adobe Reader
● CVE-2016-0938 Adobe Reader
● CVE-2016-0939 Adobe Reader
● CVE-2016-0046 Microsoft Reader
● CVE-2016-0118 Microsoft Edge
● CVE-2016-1009 Adobe Reader
● CVE-2016-1088 Adobe Reader
● CVE-2016-1093 Adobe Reader
● CVE-2016-1094 Adobe Reader
● ZDI-15-525 Foxit Reader
● ZDI-15-524 Foxit Reader
● ZDI-15-641 Foxit Reader
● ZDI-16-029 Foxit Reader
● ZDI-16-221 Foxit Reader
![Page 4: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/4.jpg)
Topic itself
● Fuzzing basics
● Corpus distillation
● How I fuzz
● Tools I developed
![Page 5: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/5.jpg)
Fuzzing
● Automated bug/vuln finding
● Functionality
– Generates input
– Runs target with input
– Detects crash/special condition
– Rinse and repeat
![Page 6: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/6.jpg)
Detection
● Detects crashes
● Detects special exceptions (access violation)
● Detects special behaviour (DOS, error message, output)
● Target dependent
![Page 7: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/7.jpg)
Input generation
● Dumb fuzzing
– Total/Stupid random
– Mutations based● Smart fuzzing
– Generation based
![Page 8: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/8.jpg)
Total/Stupid random
● Examples– dd if=/dev/urandom bs=100000 count=1 > file.doc
– dd if=/dev/urandom bs=1024 count=1 | telnet target 443
● Pros
– Stupid easy to create● Cons
– Relatively useless in most case
![Page 9: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/9.jpg)
Mutations based
● Mutates/changes initial set
– Bit flipping
– Adding long strings● Pros
– Easy to create
– Better code coverage● Cons
– Code coverage depends on initial set
![Page 10: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/10.jpg)
Generation based/smart fuzzing
● Fuzzer creates new valid input from scratch
● Pros
– Best code coverage if well implemented
– Better control● Cons
– Time consuming to implement
– Closed protocol == reverse engineering
![Page 11: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/11.jpg)
What I did (pdf)
● I'm lazy
● Wanted to find vulnerabilities
● Have couple of computers laying around
==
● Dumb fuzzing
![Page 12: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/12.jpg)
How to improve initial set
● As much functionality as possible
● Unknown protocol (for me)
● Very common filetype
● Lot of readers
![Page 13: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/13.jpg)
Corpus distillation
● What you need
– Huge number of initial files
– Application that can read them
– Time and computing power● What you do
– Code coverage with every input
– Analyse the coverage of all the files
– Minimize the set
![Page 14: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/14.jpg)
Base logic
● Initial files (functionality):
– Input1 (A, B, F)
– Input2 (A, C, D, E)
– Input3 (A, B, D)
– Input4 (A, E)
– Input5 (A, F)● Final set (covers same functionality):
– Input1 (A, B, F)
– Input2 (A, C, D, E)
![Page 15: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/15.jpg)
Code coverage
● Open source – simple (special flags)
● Closed source
– Trace the code (dead slow)
– Some tools/libs: Pin, DynamoRIO
– Write coverage tool yourself
![Page 16: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/16.jpg)
Code coverage
● Not every asm instruction
● Basic blocks are enough
● First idea:
– Breakpoint to every basic block● First implementation
– Set breakpoints
– Write down each bp-event
– Continue execution
![Page 17: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/17.jpg)
How to get basic blocks
![Page 18: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/18.jpg)
How to get basic blocks
● IDA pro + IDApython
● Each basic block
– RVA from base address
![Page 19: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/19.jpg)
First run
● Foxit software
– 611 927 breakpoint
– 8 sec wait
– 180 seconds on VM for setup
– 30 seconds for execution
– TOTAL: ~210s/execution == 411 runs per day
● TOO SLOW
![Page 20: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/20.jpg)
How to speed up?
● Most time was spent on setting breakpoints
● What is breakpoint
– 0xCC● Why not set them in executable?
![Page 21: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/21.jpg)
How to get basicblocks
● IDA pro + IDApython
● Each basic block
– RVA from base address
– RVA/Offset in the file
– Original value
![Page 22: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/22.jpg)
New process
● Prep
– IDA analysis
– Basic blocks file generation
– Modification of the exe/dll files● Execution
– Catch 0xCC exceptions
– If in the basic block list● Record location● Replace 0xCC with original value● EIP = EIP – 1
![Page 23: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/23.jpg)
Second run
● Foxit software
– 611 927 breakpoint
– 8 sec wait
– 30 seconds for execution
– TOTAL: ~30s/execution
● MUCH (~7x) BETTER
![Page 24: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/24.jpg)
Additional optimization
● Reducing basic blocks count
– Analyse 100 files
– Take file/files with most coverage
– Add them to final set
– Remove basicblocks covered by them
![Page 25: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/25.jpg)
Third run
● Foxit software
– <600 000 breakpoint
– 8 sec wait
– 13 seconds for execution
– TOTAL: ~13s/execution
● EVEN MORE (~16x) BETTER THEN FIRST
![Page 26: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/26.jpg)
Benefit
● I had 366027 pdf files
● Final set was 726 files (removed 1)
● Code coverage was 21.8%
● It took ~2 weeks
![Page 27: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/27.jpg)
How large initial set you need?
![Page 28: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/28.jpg)
How large initial set you need?
![Page 29: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/29.jpg)
Benefit (latest results)
Filetype Software Initial set Final set
pdf Adobe Reader 400 000 1217 (0.30%)
doc MS Word 400 000 1319 (0.33%)
docx MS Word 400 000 2222 (0.56%)
![Page 30: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/30.jpg)
How to get these files?
● Google „filetype: pdf“ ()
![Page 31: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/31.jpg)
How to get these files?
![Page 32: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/32.jpg)
Additional problems
● Not real pdf files
● DDOS protection
![Page 33: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/33.jpg)
Solution
● Searches
– filetype:pdf aaa
– filetype:pdf aab
– filetype:pdf aac● Not real pdf files
– Magic value - %PDF● DDOS protection
– It's all about timing
![Page 34: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/34.jpg)
Fuzzing itself
● Mutate input file
● Run executable with debuging
● Wait for crash or exception
– Report and primary filtering● Repeat
![Page 35: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/35.jpg)
What mutations
● Random bit flipping
● Adding stuff (long strings for example)
● Special values like x00, xFF, xFFFF, xFFFFFFFF etc
![Page 36: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/36.jpg)
Detection
● Debuger
– Exceptions (access violations, DEP, etc)● Full page heap is your friend
![Page 37: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/37.jpg)
Keep in mind
● ASLR calculations
● Random crashes
● More instances the better
● Filter the issues automatically!!!
![Page 38: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/38.jpg)
About filtering
● You need it unless you are VERY bored!
● My simple filtering:
– Near NULL/Not near NULL/Both● Type of exception
– Location of exception● [STACK trace]
![Page 39: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/39.jpg)
Analysis of results
● First info
– Code in crash location
– Stack trace
– Registry values
● If promising then additional analysis
![Page 40: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/40.jpg)
What can you do with results
● Inform vendor
● ZDI for money
● Full disclosure for ~fame and hate
● Writing exploits for more money (ZERODIUM)
● Writing exploits for own usage
![Page 41: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/41.jpg)
About my tools
● Fuzzer „Vanapagan” (Windows, Linux, Android over ADB)
– https://github.com/JaanusFuzzing/Vanapagan● Code coverage tool „KavalAnts” (Windows only)
– https://github.com/JaanusFuzzing/KavalAnts
● NB1: Both have no real documentation yet and both are developed as my own needs dictate :(
● NB2: KavalAnts needs IDA Pro for initial analysis – not for coverage execution.
![Page 42: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/42.jpg)
About my tools
● If you use them and find something
– Let me know (it's cool to know)
– If you sell some, then donate 10%● Fuzzing needs luck● Donation increases karma● Karma increases luck (at least it should)
![Page 43: Corpus distillation & fuzzing - Nordic Testing Daysnordictestingdays.eu/files/files/jaanus_kaap_fuzzing.pdf · · 2016-06-06doc MS Word 400 000 1319 (0.33%) docx MS Word 400 000](https://reader031.fdocuments.in/reader031/viewer/2022022506/5abfc85d7f8b9a8e3f8ebaba/html5/thumbnails/43.jpg)
Q&A