Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs

Published byIsabel Montgomery Modified over 10 years ago

Similar presentations

Presentation on theme: "Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs"— Presentation transcript:

1 Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com

2 2 Contains VeriSign Confidential and Proprietary Information Agenda + Background ▪ What is fuzzing and who should do it? + Phases ▪ What are the various stages when fuzzing a target? + Fuzzer classes ▪ What can be fuzzed? + Automation ▪ Making the theoretical practical + Tools/Demos ▪ FileFuzz ▪ WebFuzz ▪ COMRaider + Advanced topics + The future or fuzzing

3 3 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – White Box + “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” ▪ Webopedia + Source code review ▪ Static analysis ▪ Pros – Coverage ▪ Cons – Dependencies – Are we testing reality? Compiler issues Implementation scenarios

4 4 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – Black Box + “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” ▪ Webopedia + Reverse engineering ▪ Static analysis ▪ Pros – Complex vulnerabilities uncovered ▪ Cons – Time consuming – Deep knowledge required + Fuzzing ▪ Dynamic analysis ▪ Pros – Relatively simple – Realistic ▪ Cons – Coverage – Complex vulnerabilities missed

5 5 Contains VeriSign Confidential and Proprietary Information What is Fuzzing? + “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.” ▪ Wikipedia + “Unexpected input causes unexpected results.” ▪ Michael Sutton

6 6 Contains VeriSign Confidential and Proprietary Information Who should fuzz? + Security researchers ▪ Reactive + QA Teams ▪ Proactive + Developers ▪ Proactive DesignDevelopmentQuality Assurance Production ResearchersQA TeamsDevelopers

7 7 Contains VeriSign Confidential and Proprietary Information What can fuzzing do for you? + MS06-01 - Graphics Rendering Engine Vulnerability ▪ aka “Windows WMF Vulnerability” ▪ Appears to have been discovered through fuzzing ▪ Evidence – Google search on strings in initial exploit identified probable source file JNK = c, Jun N, terminal, kitase kitase  kinase – At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary – Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability

8 8 Contains VeriSign Confidential and Proprietary Information Phases Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

9 9 Contains VeriSign Confidential and Proprietary Information Fuzzer Classes + Command line arguments + Environment variables ▪ Sharefuzz (www.immunitysec.com) + Web applications ▪ WebFuzz (Demo) + File formats ▪ FileFuzz (Demo – labs.idefense.com) + Network protocols ▪ SPIKE (www.immunitysec.com) + Memory + COM Objects ▪ COMRaider (Demo – labs.idefense.com) + Inter-Process Communication (IPC)

10 10 Contains VeriSign Confidential and Proprietary Information Automation + Test cases ▪ Approach – Pre-generated test cases ▪ Tools – PROTOS Test Suites ▪ Pro – Consistency ▪ Con – Static – Time consuming

11 11 Contains VeriSign Confidential and Proprietary Information Automation + Brute force fuzzing ▪ Approach – Raw byte manipulation ▪ Tool(s) – FileFuzz ▪ Pro – Simple ▪ Con – Inefficient – Fails to account for dependent values (e.g. checksums)

12 12 Contains VeriSign Confidential and Proprietary Information Automation + ‘Intelligent’ fuzzing ▪ Approach – Templates developed based on protocol definitions ▪ Tools – SPIKE – SPIKEfile ▪ Pro – Efficient ▪ Con – Time consuming

13 13 Contains VeriSign Confidential and Proprietary Information FileFuzz

14 14 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Target + Application vs. file type ▪ One file type  multiple targets + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Default file handlers – Windows Explorer – Windows Registry ▪ Commonly traded file types – Media files – Office documents – Configuration files Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

15 15 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Inputs + Proprietary vs. open formats ▪ Vendor documents ▪ Wotsit.org ▪ Google + Binary files ▪ e.g. images, video, audio, office documents, etc. ▪ Headers vs. data + Text files ▪ e.g. *.ini, *.inf, *.xml ▪ Name/value pairs Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

16 16 Contains VeriSign Confidential and Proprietary Information FileFuzz – Generate Fuzzed Data + Binary files ▪ Breadth (All or Range) – Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è. D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è. D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è. ▪ Depth – Determine level of control/influence D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è. D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è. D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è. + Text Files ▪ name = value file_size = 10 file_size = AAAAA file_size = AAAAAAAAAA Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

17 17 Contains VeriSign Confidential and Proprietary Information FileFuzz – Execute Fuzzed Data + Command line arguments ▪ Windows explorer – Tools…Folder Options…File Types Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

18 18 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Visual ▪ Error messages ▪ Blue screen + Event logs ▪ System logs ▪ Application logs + Debuggers + Return codes + Debugging API Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

19 19 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Library - libdasm ▪ Capture – Memory location – Registry values – Exception type + Kill ▪ Set timeout Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability [*] "crash.exe" "C:\Program Files\WordPerfect Office 12\Programs\UA120.exe" 2000 /qt c:\fuzz\ast\8.ast [*] Access Violation [*] Exception caught at 00403f06 mov eax,[eax+edi*4] [*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac [*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8

20 20 Contains VeriSign Confidential and Proprietary Information FileFuzz – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Vulnerability types ▪ Stack overflows ▪ Heap overflows ▪ Integer handling – Overflows – Signedness ▪ DoS – Out of bounds reads – Infinite loops – NULL pointer dereferences ▪ Logic errors – Windows WMF vulnerability (MS06-001) ▪ Format strings ▪ Race conditions Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

21 21 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Breadth)

22 22 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Depth)

23 23 Contains VeriSign Confidential and Proprietary Information WebFuzz

24 24 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Target + Server vs. Application ▪ Targeting applications can uncover server vulnerabilities + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications – Download site counters – Google queries (johnny.ihackstuff.com) ▪ External applications – Wikis – Web mail – Discussion boards – Blogs Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

25 25 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Inputs + Potential input vectors ▪ Method ▪ Request-URI ▪ Protocol ▪ Headers ▪ Cookies ▪ Post data + Reconnaissance ▪ Web forms ▪ Authentication ▪ Hidden fields ▪ Client side scripting + Manual Tools ▪ Proxies ▪ LiveHTTPHeaders + Automated Tools ▪ Spiders Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

26 26 Contains VeriSign Confidential and Proprietary Information WebFuzz – Generate Fuzzed Data + Intelligent fuzzing ▪ Start with legitimate web request ▪ Build template to mutate requests + Request format + Fuzz Template Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability [Method] [Request-URI] HTTP/[Major Version].[Minor Version] [HTTP Headers] [Post Data] [Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: [Overflow] Proxy-Connection: Keep-Alive

27 27 Contains VeriSign Confidential and Proprietary Information WebFuzz – Execute Fuzzed Data + Fuzz classes ▪ Directory traversal ▪ Format strings ▪ Overflow ▪ SQL Injection ▪ XSS Injection Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

28 28 Contains VeriSign Confidential and Proprietary Information WebFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ HTML response – Error messages ▪ Raw response – User input ▪ Status codes + Kill ▪ Set timeout Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

29 29 Contains VeriSign Confidential and Proprietary Information WebFuzz – Determine Exploitability + Skills ▪ HTTP ▪ HTML ▪ Client side scripting ▪ SQL + Vulnerability types ▪ Denial of service ▪ Cross site scripting (XSS) ▪ SQL injection ▪ Directory traversal/Weak access control ▪ Weak authentication ▪ Weak session management (cookies) ▪ Buffer overflow ▪ Improperly supported HTTP methods ▪ Remote Command Execution ▪ Remote Code Injection ▪ Vulnerable Libraries ▪ HTTP Request Splitting ▪ Format Strings Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

30 30 Contains VeriSign Confidential and Proprietary Information WebFuzz - Demo

31 31 Contains VeriSign Confidential and Proprietary Information COMRaider

32 32 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Target + Client side attacks + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications + Identify ActiveX controls ▪ Choose Active DLL or OCX file directly ▪ Scan a directory for registered COM servers ▪ Manually enter a GUID ▪ Choose from controls that should be loadable in IE Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

33 33 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Inputs + Indentify fuzzable ActiveX controls ▪ Load and parse type library files (*.tlb) to enumerate interfaces or ▪ Create a live instance of the object to query and load interface information + Scriptable ActiveX controls ▪ Accessible by web servers via Internet Explorer – Controls marked as Safe for Scripting or implementing IObjectSafety – Controls support IDispatch or IDispatchEx interfaces Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

34 34 Contains VeriSign Confidential and Proprietary Information COMRaider – Generate Fuzzed Data + Examine each function and identify variable types to determine fuzzing scenarios ▪ Supported – Ints – Longs – Doubles – Strings – Variants ▪ Not supported – Singles – Bytes – Bools + Dynamically created Windows Script Files (*.wsf) Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

35 35 Contains VeriSign Confidential and Proprietary Information COMRaider – Execute Fuzzed Data + Windows Script Host (wscript.exe) used to execute *.wsf files Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

36 36 Contains VeriSign Confidential and Proprietary Information COMRaider – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Debugger - crashmon.dll – Record handled/unhandled exceptions ▪ Window logger – Record/clear error dialogs – Record modal windows + Kill ▪ 8 second timeout Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

37 37 Contains VeriSign Confidential and Proprietary Information COMRaider – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Distributed auditing ▪ Audit results uploaded to and downloaded from central MySQL server + Exceptions logged ▪ Exception code ▪ SEH chain ▪ Call stack ▪ Register values ▪ Recent/future opcodes ▪ Argument dump ▪ Stack dump Identify targetIdentify inputsGenerate fuzzed dataExecute fuzzed dataMonitor for exceptions Determine exploitability

38 38 Contains VeriSign Confidential and Proprietary Information COMRaider - Demo

39 39 Contains VeriSign Confidential and Proprietary Information Advanced Topics + Fuzzing Frameworks + Automated structure identification + Fuzzer tracking (code coverage) + Intelligent exception detection and processing

40 40 Contains VeriSign Confidential and Proprietary Information The Future of Fuzzing + Tools ▪ Frameworks ▪ Integrated test environments ▪ Commercial tools + People ▪ Wider audience ▪ Proactive fuzzing – the shift from offense to defense

41 41 Contains VeriSign Confidential and Proprietary Information Questions

Download ppt "Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs"

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Similar presentations

Ads by Google