fuzzer/stress.py

I wrote a fuzzer specific to hachoir-metadata: fuzzer.

Algorithm:

1. Load first n kilobytes of a valid byte
2. Replace some bytes (1..250) with random value
3. Try to extract metadata on this buggy file

To detect an error, stress.py is connected to Hachoir logs. It only watchs error messages and filter them.

Features:

• Set memory limit to avoid crash of the fuzzer
• Read extraction time to catch "timeout" error
• Use directly hachoir-metadata library

First version of the program was a shell script written by Krunch using mangle.c written by Ilja van Sprundel.

hachoir-fuzzer

The idea

Writting a fuzzer needs a good knowledge about file format and structure. Hachoir have this knowledge, so it can be used to write powerful fuzzer.

What is fuzzing? Ask Wikipedia ;-)

Length fuzzer

Most developers don't check field length, eg. GDI+ JPEG secure hole for comment with nul size. So test:

• content bigger than announced length
• content smaller than announced length
• nul length
• very big length

Contraints

Types of constraints:

• List of valid values: valid=[5, 4, 20] for Int8
• List of invalid values: invalid=[0, 15] for Bits(4)
• Simple condition: (value % 4) == 0
• Complex condition: ((value | 6) + (value % 4)) & 7 == 1

Now, another problem: how to produce invalid value? Simple algorithm: generate a random value and test if it valid.

• valid=[5, 4, 20] for Int8 ==> invalid=[0, 1, 2, 3, 6, 7, 8, ..., 19, 21, 22, ..., 255]
• (value % 4) == 0 ==> maybe randint(0, max) * 4 + randint(0, 3) with max=max(type)/4

Operations

• delete a field
• insert a field
• move a field

Known attacks

• String: Format string attack
• Integer: negative number, zero, one, 0xFFFF and other "special" values
• Bytes: Random content

Type of attack

Attack class:

• Attack on one parameter
• Attack on file structure (field position and value)
• Attack on linked parameters (one parameter which depends on another one)
• Attack on length fields

Program functions

fuzzing module will also need:

• loggin features: to keep historic of attacks

hachoir-valid

This program will check that a file is valid against the format standart.

Problems:

• Learn format using many files or use static rules (XML schema)?
• May be very slow (depends on quantity of field that are checked)

Recent attacks

• April 2008
  • PNG: in KHTML
  • EMF and WMF: MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution
• July 2007
  • TGA: Microsoft DirectX RLE Compressed Targa Image Processing Buffer Overflow
  • XLS: Microsoft Excel Multiple Code Execution Vulnerabilities
• May 2007
  • JPEG: JPEG with ICC and BMP in JVM (Java)
  • PNG: CVE-2007-2445: Libpng Library Remote Denial of Service Vulnerability
  • PNG: Libpng "png_handle_tRNS()" tRNS Chunk Processing DoS
• March 2007:
  • ANI: ANI (icon) in Windows
• February 2007:
  • GIF in Java JRE
• January 2007:
  • JPEG: A JPEG image with a malformed header can crash Opera
  • WMF: OpenOffice ReadEnhWMF() and ReadRecordParams() Buffer Overflow
    • Allocation of a buffer smaller than requested because of integer overflow
  • PDF: MOAB-06-01-2007: Multiple Vendor PDF Document Catalog Handling Vulnerability
• Nov 2006:
  • CVE-2006-5793: LibPNG Graphics Library PNG_SET_SPLT Remote Denial of Service Vulnerability
• Jully 2006:
  • PNG: CVE-2006-0033: Unspecified vulnerability in Microsoft Office and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG (see also MS06-039)
  • GIF: CVE-2006-007: Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF (see also MS06-039)
• February 2006, BMP: Windows Media Player Bitmap File Processing Vulnerability (see also MS06-005
• January 2006, WMF: MS06-001 -- Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
• February 2005, PNG: Microsoft Security Bulletin MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)
• 2004
  • PNG: libpng Integer Overflow and Buffer Overflow Vulnerabilities
  • PNG: libpng Multiple Vulnerabilities
  • BMP: ImageMagick BMP Image Decoding Buffer Overflow Vulnerability
  • ANI: CAN-2004-1049
  • ANI: CAN-2004-1305
  • JPEG: MS04-028 -- Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
• July 2003, MIDI: CERT® Advisory CA-2003-18: Integer Overflows in Microsoft Windows DirectX MIDI Library

Other:

• libTIFF Vulnerability Report
• Vulnerability in madwifi (Linux) driver (was already known and fixed by madwifi team 4 month ago)

See also

• zzuf: multi-purpose fuzzer
• Fuzzing Tools list on secwiki
• Fuzzing on owasp.org