Fuzzing Your Favorite Interpreter -...
Transcript of Fuzzing Your Favorite Interpreter -...
![Page 1: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/1.jpg)
Fuzzing Your Favorite InterpreterEMMANUEL LAW
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
![Page 2: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/2.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Background
• PrincipalSecurityConsultant@AuraInfoSec• Pentesting forliving• @libnex• FoundsomePHPbugs…
![Page 3: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/3.jpg)
Bugs bug bounty
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
![Page 4: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/4.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing Interpreters
BuildFromScratch Off-The-Shelf
![Page 5: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/5.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Writing a Custom Fuzzer from Scratch
• CustomStrategies• FindUniq Bugs
Pros
Cons
• Time+Effort• Portabilitytootherlanguages
![Page 6: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/6.jpg)
Off The Shelf
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
• Speed• PoweroftheOpenSourceCommunity
Pros
Cons
• Lesscustomization• Competition....lotsofthem
![Page 7: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/7.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing Interpreters
BuildFromScratch Off-The-Shelf
VS
![Page 8: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/8.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AttackPlan Fuzzing Triage RCA
![Page 9: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/9.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Battle Plan
![Page 10: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/10.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
What are we fuzzing?
• AttackSurfaceArea
ParserRuntime
Unserialize FilesParser
ZendEngine
![Page 11: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/11.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan : Attacking Files Parsers
• Examples:Zip,Images,Phar,PYZ• Taketheroadlesstravelled• Patch-outChecksumverification
ZIPProcessor
ValidateChecksum
ProcessZIP
![Page 12: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/12.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan: Fuzzing Corpus
Mutator Fuzzer
12345678
31625551
![Page 13: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/13.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
BattlePlan: Fuzzing Corpus
• MoreUnique=>Betterchanceoffindingacrash• Exercisesasmanycodepathaspossible• HarnessRegressionTestcases:
• Testedgecases• Don’tforgettestcasesfromsisterprojects
![Page 14: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/14.jpg)
Fuzzing
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
ChoosingaFuzzer
![Page 15: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/15.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Choosing a Fuzzer
• 101Fuzzers outthere• Thingstoconsider:
• Speed• Popularity• Easyofuse• Constrains:Sourcecode?• Buzzwords:EvolutionaryFuzzing,In-memory
fuzzing
![Page 16: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/16.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing: American Fuzzy Lop (AFL)
• GoldStandard• EVERYONEisusingthisL• Feedbackdriven
![Page 17: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/17.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Feedback Driven/Evolutionary/Genetic Fuzzing
12345678ABCD
1X345678ABCD
12345618ABCD
1X345678AZCD
1X345670ABCD
1X3456780BCD
1X345678AB#D
![Page 18: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/18.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Radamsa
• GeneralPurposeFuzzer• Language/Dataagnostic• Semi-Smart• Extremelyeasytouse
![Page 19: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/19.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Other Fuzzers
• honggfuzz• Choronzon• zzuf• Somanymanymore..
DifferentFuzzers willfinddifferentbugs
![Page 20: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/20.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Fuzzing: Getting better Mileage
• AddressSanitizer(akaASAN):• Compileintoyourinterpreter• Memoryerrordetector• Minimaloverhead
![Page 21: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/21.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Soyouhavefoundsomecrashes…..
![Page 22: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/22.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage
• Purpose• Groupingofsimilarcrashes• Prioritizeyourcrashes
![Page 23: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/23.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage• ComesfreewithAddressSanitizer
StackTrace
VisualMem-map
![Page 24: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/24.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage: Exploitability
• !exploitable
![Page 25: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/25.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Triage: Test case minization
• Fuzzdiff,Afl-minetc• Findtheminimalchangesthatcausesthecrash
12345678ABCD
OriginalFile
1X3XXX78AXCX
MutatedFile
Minization12345X78ABCX
Minized File
![Page 26: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/26.jpg)
Root Cause Analysis
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
![Page 27: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/27.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis
• Tryingthefindtheanswers:• WhatiscausingtheCrash• Isitexploitable
• Verytediousandtimeconsuming• Rememberyouarecompetingonspeed..
![Page 28: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/28.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis
• IspendalotoftimeinGDB• PEDA*isyourfriend
*Python Exploit Development Assistance
![Page 29: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/29.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Registers
ASM
Stack
![Page 30: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/30.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis• Really?GDB??pffft..*scorn*
Voltron
![Page 31: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/31.jpg)
Reverse Debugging
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Theartof
![Page 32: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/32.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis: Reverse Debugging
• Debuggingtendstobeverylinear
![Page 33: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/33.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Root Cause Analysis: Reverse Debugging
• Record commandinGDB• Provides:
• ReverseStep• ReverseNext• ReverseContinue
• ReverttodeterministicMemoryState
![Page 34: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different](https://reader031.fdocuments.in/reader031/viewer/2022030423/5aab00267f8b9a59658b4921/html5/thumbnails/34.jpg)
LetsMakeFuzzing Great Again
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
@libnex