Thursday, October 30, 2008

Fuzzing 101 - Introduction to Fuzzing

I've spent most of today running Security Brigade's Proprietary Fuzzing Application under a variety of situations and conditions to find some very interesting vulnerabilities in a wide-range of products.

Some of the products I've run it against yet are: Rediff's Toolbar for Internet Explorer, Microsoft Outlook 2007 and Mozilla Thunderbird; All of which have some very interesting vulnerabilities ranging from Denial-of-service to Buffer Overflows.

I will not be going into detail about these vulnerabilities in this posts as I will wait for vendor responses and patch releases before I do so. However, I do want to talk about Fuzzing in general.

What is a Fuzzer?
A Security fuzzer is a tool used by security professionals to test the parameters of an application. Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling. More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities.

Common Fuzzing Tools
There are many publicly available and open-source fuzzing applications that are designed for various purposes. Some of these are:

antiparser -Written in Python, simple and limited fuzzing framework.
Autodafe - Can be perceived as a more powerful version of SPIKE. It’s main contribution is the introduction of a UNIX-based debugging agent capable of weighting the possibility of a crash on any given fuzz input.
AxMan - A web-based ActiveX fuzzing engine written by HD Moore.
bugger - A Linux in-process fuzzer written by Michal Zalewski.
COMRaider - A Windows GUI fuzzer written by David Zimmer, designed to fuzz COM Object Interfaces.
Dfuz -sWritten in C, exposes a custom and easy to use scripting language for fuzzer development.
DOM-Hanoi - Written by H D Moore and Aviv Raff, it is designed to identify common DHTML implementation flaws by adding/removing DOM elements
eFuzz - A generic TCP/IP protocol fuzzer. Easy to use, but maybe not as full featured as some others on this list.
Evolutionary Fuzzing System (EFS) -A fuzzer which attempts to dynamically learn a protocol using code coverage and other feedback mechanisms.
FileH-A haskell-based file fuzzer that generates mutated files from a list of source files and feeds them to an external program in batches.
FileFuzz - A file format fuzzer for PE (Windows) binaries from iDefense.
FileP-A python-based file fuzzer that generates mutated files from a list of source files and feeds them to an external program in batches.
Fuzzled -A Perl based generic fuzzing framework.
Fuzz - The ORIGINAL fuzzer developed by Dr. Barton Miller.
General Purpose Fuzzer (GPF) - Written in C, GPF has a number of modes ranging from simple pure random fuzzing to more complex protocol tokenization.
hamachi -Written by H D Moore and Aviv Raff, Hamachi will look for common DHTML implementation flaws by specifying common “bad” values for method arguments and property values.
(L)ibrary (E)xploit API - lxapi - A collection of python scripts for fuzzing.
mangleme -An automated broken HTML generator and browser tester, originally used to find dozens of security and reliability problems in all major Web browsers.
notSPIKFile - A ELF fuzzer closely related to FileFuzz, instead of using SPIKE as a starting point.
Peach -Written in Python, an advanced and robust fuzzing framework which successfully separates and abstracts relevant concepts. Learning curve is a bit overwhelming.
Protocol Informatics - Slides, whitepaper and code from the last publicly seen snapshot from Marshall Beddoe’s work.
PROTOS WAP - A fuzzer from the PROTOS project for fuzzing WAP.
PROTOS HTTP-reply - Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for broswer vulns.
PROTOS LDAP - For fuzzing LDAP, not as successful as the others from the PROTOS project
PROTOS SNMP - Classic SNMP fuzzer, found a vuln in almost every networking gear available at the time (2002).
PROTOS SIP - For fuzzing all those new VOIP SIP devices you see everywhere.
PROTOS ISAKMP - For attacking IPSec implementations
RIOT & faultmon - For attacking plain text protocols (Telnet, HTTP, SMTP). Used by Riley Hassell when he worked at eEye to discover the IIS .printer overflow and included in The Shellcoder's Handbook.
QueFuzz - Small fuzzer that uses libnetfilter queue to take in packets from iptables. It’s fuzzing engine either randomly fuzzes binary or ASCII protocols or uses a basic fuzzing template to search and replace packet data.
Schemer - XML driven generic file and protocol fuzzer.
Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.
SMUDGE - Pure Python network protocol fuzzer from nd@felincemenace.
SPIKE - Written in C, exposes a custom API for fuzzer development.
SPIKEFile - Another file format fuzzer for attacking ELF (Linux) binaries from iDefense.
Tag Brute Forcer - Awesome fuzzer from Drew Copley at eEye for attacking all of those custom ActiveX applications.
TAOF (The Art of Fuzzing) - Written in Python, a cross-platform GUI driven network protocol fuzzing environment for both UNIX and Windows systems.
WebFuzzer - A fuzzer for web application vulnerabilities.

My personal favourite Fuzzing utilities are SPIKE, Axman and Peach.