9.1 Vulnerability Identification and Fuzzing
9.1 Vulnerability Identification and Fuzzing
Fuzzing
3
Bug Hunting
• Bug hunting is the process of finding bugs in software or
hardware “cited [1]”
sami almashaqbeh 5
4 Fun & Profit
• Finding security bugs was done for fun and to get media
attention
• Today, organizations are paying for security researchers to
identify bugs
- Bounty programs (Google, FaceBook, Twitter, RedHat, etc)
- Zero Day Initiative (ZDI)
- iDefense
- Tipping Point
- Pwn2Own
- Others? Please add
sami almashaqbeh 6
Taking Advantages of Bugs
• Software that take the advantages of a software vulnerability
are called “exploits”
• Exploiting a widely used application, os, protocol, etc ͙ will
grab huge media coverage and attention
- Road to become a Hacking Star
sami almashaqbeh 7
Exploits Language
• No specific language for writing exploits
• Exploits can be written using any programming language
• C, C++, Perl, JavaScript, Assembly, and PYTHON !
• I prefer Python for it’s simplicity and for the huge range of
libraries that could be used for creating a PoC or working
exploit
sami almashaqbeh 8
Bug Hunting Formal Proces
• Writing software is a human art, and two different coders may
code the same function with the same requirements
differently!
• For that reason IMO, Bug Hunting is a human art too!
• No formal process to finding bugs in SW, but there are a
couple of techniques that can be used for bug discovery
sami almashaqbeh 9
Common Techniques
• Static Analysis
- Static Code Analysis
- Reverse Engineering
• Dynamic Analysis
- Debugging
- Fuzzing
sami almashaqbeh 10
Static Analysis
• Static Code Analysis
- Code is needed
- Tedious and time consuming
- Requires high knowledge and/or skills with given language
- Costs a lot (expensive)
• Reverse Engineering
- Code not needed
- Requires the binary file
- Time consuming
- High technical skill is needed (assembly!)
sami almashaqbeh 11
Dynamic Analysis
• In this lecture we will be covering
- Debugging and Fuzzing
sami almashaqbeh 12
General Bug Hunting Methodolo
Understand the Application
• Read specs / documentation
- understand purpose or business logic
• Examine attack surface
- inputs, configuration
• Identify target components an attacker would hit
- think like an attacker to defend better:
• try to hit the Database for SQLi?
• try to upload a file?
• try to spawn a shell?
sami almashaqbeh 13
What Leads to Bugs?
• Miscalculations
• Failure to validate input
• Programmer failure to understand an API
• Failure to validate results: operations, functions, etc
• Application state failures
• Complex protocols
• Complex file formats
• Complex encoding / decoding / expansion
• etc
sami almashaqbeh 14
Debugging…
sami almashaqbeh 16
Debugger
• A computer program that lets you run your program, line by
line and examine the values of variables or look at values
passed into functions and let you figure out why it isn't
running the way you expected it to.
sami almashaqbeh 17
Why use Debuggers
• Debuggers offer sophisticated functions such as:
- Running a program step by step (single-stepping mode),
- Stopping (breaking) (pausing the program to examine the current
state) at some event or specified instruction by means of a breakpoint,
- Tracking the values of variables,
- Tracking the values of CPU registers,
- Attach to a process,
- View the process’s Memory map,
- Load memory dump (post-mortem debugging),
- Disassemble program instructions,
- Change values at runtime,
- Continue execution at a different location in the program to bypass a
crash or logical error.
sami almashaqbeh 18
Common Debuggers
• GNU Debugger (GDB)
• Microsoft Windows Debugger (Windbg)
• OllyDbg
• Immunity Debugger
- Based on Ollydbg
• Microsoft Visual Studio Debugger
• Interactive DisAssembler (IDA Pro)
sami almashaqbeh 19
Common Debugger Cont.
• Ollydbg
- Most popular for malware analysis
- User-mode debugging only
- IDA Pro has a built-in debugger, but it's not as easy to use or powerful
as Ollydbg
• Windbg
- Supports kernel-mode debugging
sami almashaqbeh 20
Disassembler v. Debuggers
• A disassembler like IDA Pro shows the state of the program
just before execution begins
• Debuggers show
- Every memory location
- Register
- Argument to every function at any point during processing
• And let you change them
sami almashaqbeh 21
rce Level v.s Assemby Level Debug
• Source-level debugger
- Usually built into development platform
- Can set breakpoints (which stop at lines of code)
- Can step through program one line at a time
sami almashaqbeh 22
Kernel vs User Mode
Debugging
User Mode Debugging
• Debugger runs on the same system as the code being
analyzed
• Debugging a single executable
• Separated from other executables by the OS
sami almashaqbeh 24
Kernel Mode Debugging
• Requires two computers, because there is only one kernel per
computer
• If the kernel is at a breakpoint, the system stops
• One computer runs the code being debugged
• Other computer runs the debugger
• OS must be configured to allow kernel debugging
• Two machines must be connected
sami almashaqbeh 25
Using a Debugger
Two Ways for Debugging
• Start the program with the debugger
- It stops running immediately prior to the execution of its entry point
• Attach a debugger to a program that is already running
- All its threads are paused
- Useful to debug a process that is affected by malware
sami almashaqbeh 27
Singl Stepping
• Simple, but slow
• Don't get bogged down in details
sami almashaqbeh 28
Example
• This code decodes
the string with XOR
a 29
Stepping Over vs Stepping Int
• Single step executes one instruction
• Step-over call instructions
- Bypasses the call
- Decreases the amount of code you need to analyze
- Might miss important functionality, especially if the function never
returns
• Step-into a call
- Moves into the function and stops at its first command
sami almashaqbeh 30
Pausing Execution with Breakpoi
sami almashaqbeh 31
• This code
calculates a
filename and
then creates
the file
• Set a
breakpoint at
CreateFileW
and look at
the stack to
see the
filename
a
WinDbg
a 33
Encrypted Data
• Suppose malware sends encrypted network data
• Set a breakpoint before the data is encrypted and view it
sami almashaqbeh 34
OllyDbg
sami almashaqbeh 35
Immunity Debugger
• A powerful new way to write exploits, analyze malware, and
reverse engineer binary files
• It builds on a solid user interface with function graphing, and
a large and well supported Python API for easy extensibility
sami almashaqbeh 36
a
Types of Breakpoints
• Software execution
• Hardware execution
• Conditional
sami almashaqbeh 38
Software Execution Breakpoin
• The default option for most debuggers
• Debugger overwrites the first byte of the instruction with
0xCC
- The instruction for INT 3
- An interrupt designed for use with debuggers
- When the breakpoint is executed, the OS generates an exception and
transfers control to the debugger
sami almashaqbeh 39
Memory Contents at a Breakpoi
• There's a breakpoint at the push instruction
• Debugger says it's 0x55, but it's really 0xCC
sami almashaqbeh 40
When Software Execution
Breakpoints Fail
• If the 0xCC byte is changed during code execution, the
breakpoint won't occur
• If other code reads the memory containing the breakpoint, it
will read 0xCC instead of the original byte
• Code that verifies integrity will notice the discrepancy
sami almashaqbeh 41
Hardware Execution Breakpoin
• Uses four hardware Debug Registers
- DR0 through DR3 - addresses of breakpoints
- DR7 stores control information
• The address to stop at is in a register
• Can break on access or execution
- Can set to break on read, write, or both
• No change in code bytes
sami almashaqbeh 42
Hardware Execution Breakpoin
• Running code can change the DR registers, to interfere with
debuggers
• General Detect flag in DR7
- Causes a breakpoint prior to any mov instruction that would change
the contents of a Debug Register
- Does not detect other instructions, however
sami almashaqbeh 43
Conditional Breakpoints
• Breaks only if a condition is true
- Ex: Set a breakpoint on the GetProcAddress function
- Only if parameter being passed in is RegSetValue
• Implemented as software breakpoints
- The debugger always receives the break
- If the condition is not met, it resumes execution without alerting the
user
sami almashaqbeh 44
Conditional Breakpoints
• Conditional breakpoints take much longer than ordinary
instructions
• A conditional breakpoint on a frequently-accessed instruction
can slow a program down
• Sometimes so much that it never finishes
sami almashaqbeh 45
Exceptions
Exceptions
• Used by debuggers to gain control of a running program
• Breakpoints generate exceptions
• Exceptions are also caused by
- Invalid memory access
- Division by zero
- Other conditions
sami almashaqbeh 47
First
and Second Chance Exception
sami almashaqbeh 48
Second Chance
• If the application doesn't handle the exception
• The debugger is given a second chance to handle it
- This means the program would have crashed if the debugger were not
attached
• In malware analysis, first-chance exceptions can usually be
ignored
• Second-chance exceptions cannot be ignored
- They usually mean that the malware doesn't like the environment in
which it is running
sami almashaqbeh 49
Common Exceptions
• INT 3 (Software breakpoint)
• Single-stepping in a debugger is implemented as an exception
- If the trap flag in the flags register is set
- The processor executes one instruction and then generates an
exception
• Memory-access violation exception
- Code tries to access a location that it cannot access, either because
the address is invalid or because of access-control protections
sami almashaqbeh 50
Common Exception Cont.
• Violating Privilege Rules
- Attempt to execute privileged instruction with outside privileged
mode
- In other words, attempt to execute a kernel mode instruction in user
mode
- Or, attempt to execute Ring 0 instruction from Ring 3
sami almashaqbeh 51
THQ
• Can we modify executables using a debugger?
• Write an example showing howto modify a Windows EXE file.
- For example bypass a whole check routine or set of instructions!!!
sami almashaqbeh 52
Fuzzing
sami almashaqbeh 54
Fuzzing
• Original research name “Boundary Value Analysis”
• “ n automated method for discovering faults in software by
providing unexpected input and monitoring for
exceptions.” - Fuzzing
• Also said:
"Fuzzing is the process of sending intentionally invalid data to a
product in the hopes of triggering an error condition or fault.
These error conditions can lead to exploitable vulnerabilities.“
HD Moore (MSF Founder)
sami almashaqbeh 55
Plz note
• Fuzzing has no rules!
• Not always successful!
sami almashaqbeh 56
Fuzzing History
• Fuzzing is not new
- It’s been named for about 20 years.
• Professor Barton Miller
- Father of Fuzzing
- Developed fuzz testing with his students at the University of
Wisconsin-Madison in 1988/89
- GOAL: improve UNIX applications
sami almashaqbeh 57
Fuzzing Methods
• Sending Random Data
- Least Effective
- Unfortunately, sometimes, code is bad enough for this to work
sami almashaqbeh 58
Fuzzing Method Cont.
• Mutation or Brute Force Testing
- Starts with a valid sample
- Fuzz each and every byte in the sample
sami almashaqbeh 59
What Data can be Fuzzed?
• Virtually anything!
• Basic types: bit, byte, word, dword, qword
• Common language specific types: strings, structs, arrays
• High level data representations: text, xml
sami almashaqbeh 60
Where can Data be Fuzzed?
Across any security boundary, e.g.:
• An RPC interface on a remote/local machine
• HTTP responses & HTML content served to a browser
• Any file format, e.g. Office document
• Data in a shared section
• Parameters to a system call between user and kernel mode
• HTTP requests sent to a web server
• File system metadata
• ActiveX methods
• Arguments to SUID binaries
sami almashaqbeh 61
What Does Fuzzed Data Consist O
• Fuzzing at the type level:
- Long strings, strings containing special characters, format strings
- Boundary case byte, word, dword, qword values
- Random fuzzing of data buffers
• Fuzzing at the sequence level
- Fuzzing types within sequences
- Nesting sequences a large number of times
- Adding and removing sequences
- Random combinations
• Always record the random seed!!
sami almashaqbeh 62
When to Fuzz?
Fuzzing typically finds implementation flaws, e.g.:
• Memory corruption in native code
- Stack and heap buffer overflows
- Un-validated pointer arithmetic (attacker controlled offset)
- Integer overflows
- Resource exhaustion (disk, CPU, memory)
• Unhandled exceptions in managed code
- Format exceptions (e.g. parsing unexpected types)
- Memory exceptions
- Null reference exceptions
sami almashaqbeh 63
When to Fuzze Cont.
• Injection in web applications
- SQL injection against backend database
- LDAP injection
- HTML injection (Cross-site scripting)
- Code injection
sami almashaqbeh 64
Two Approaches
• Dumb (mutational) Fuzzing • Smart (generational) Fuzzing
• Fuzzer lacks contextual • Fuzzer is context-aware
information about data it is - Can handle relations between
manipulating entities, e.g. block header
lengths, CRCs
• May produce totally invalid
test • Produces partially well-
formed cases test cases
• Up and running fast
• Time consuming to create
• Find simple issues in poor
- What if protocol is proprietary?
quality code
• Can find complex issues
sami almashaqbeh 65
Two Approache Cont.
• Which approach is better?
• Depends on:
- Time: how long to develop and run fuzzer
- [Security] Code quality of target
- Amount of validation performed by target
• Can patch out CRC check to allow dumb fuzzing
- Complexity of relations between entities in data format
• Don’t rule out either!
- My personal approach: get a dumb fuzzer working first
- Run it while you work on a smart fuzzer
sami almashaqbeh 66
?
• How can we monitor the target?
• What to monitor?
sami almashaqbeh 67
Determining Exploitability
• This process requires experience of debugging security issues,
but some steps can be taken to gain a good idea of how
exploitable an issue is...
• Look for any cases where data is written to a controllable
address - this is key to controlling code execution and the
majority of such conditions will be exploitable
• Verify whether any registers have been overwritten, if they do
not contain part data sent from the fuzzer, step back in the
disassembly to try and find where the data came from
sami almashaqbeh 68
Determining Exploitability Cont.
• If the register data is controllable, point the register which
caused the crash to a page of memory which is empty, fill that
page with data (e.g., ‘aaaaa...’)
• Repeat and step through each operation, until another crash
occurs, reviewing all branch conditions which are controlled
by data at the location of the (modified) register to ensure
that they are executed
sami almashaqbeh 69
Determining Exploitabilit Con
• Are saved return address/stack variables overwritten?
• Is the crash in a heap management function?
• Are the processor registers derived from data sent by the
fuzzer (e.g. 0x61616161)?
• Is the crash triggered by a read operation?
• Can we craft a test case to avoid this?
• Is the crash triggered by a write operation?
• Do we have full or partial control of the faulting address?
• Do we have full or partial control of the written value?
sami almashaqbeh 70
Fuzze Classifications
Fuzzer Types
In-Memory
Local Fuzzers Remote Fuzzers
Fuzzers
sami almashaqbeh 71
Types o Fuzzers
• Local Fuzzers
- Lets you fuzz applications on the command line
• To what end?
- Make sure the target has some value (setuid)
• Environment Variable Fuzzers
• Because:
sami almashaqbeh 73
Types o Fuzzer Cont.
• Network Protocol Fuzzers
- The Fuzzer is the client
- Need to understand the protocol
- Simple Protocols
• Text Based: Telnet, FTP, POP, HTTP
- Complex Protocols
• Binary Data (some ASCII)
• Complex authentication, encryption, etc
sami almashaqbeh 74
Types of Fuzzer Cont.
• Other types of fuzzers:
- Web Application and Server Fuzzing
- Web Browser Fuzzing
- In-Memory Fuzzing
sami almashaqbeh 75
Common Fuzzers
• Publicly available fuzzing frameworks:
- Spike, Peach Fuzz, Sulley, Schemer, etc
• Publicly available fuzzing applications
- Fuzz, FileFuzz, iFuzz, WebFuzz, JBroFuzz, WebScarab,
- BurpSuite (includes a fuzzer), notSPIKEFile, SPIKEProxy, ProtoFuzz
- SMUDGE, mangleme, FileP, FileH, MalyBuzz,
- Dfuz, AxMan, bugger, fuzzdb
- And the list goes on and on ͙
sami almashaqbeh 76
The Fuzzing Process
• Identify Targets
• Identify Inputs
• Generate Fuzzed Data
• Execute Fuzzed Data
• Monitor for Exceptions
• Determine Exploitability
sami almashaqbeh 77
The Fuzzing Process
• Determine Exploitability - Remotely
- You need to know what data you sent
• Record all fuzzed strings, making note of exceptions
• Network Captures (Wireshark)
- Try and reproduce the scenario
- Is it a memory corruption bug?
- Is it an application logic flaw?
• Determine Exploitability - Locally
- Attach a debugger
sami almashaqbeh 78
Protoco Fuzzing
• Find as much data as you can about the target application
- Google is your friend
- Maybe someone has fuzzed it
- Maybe it uses some standard protocol
sami almashaqbeh 79
Protoco Fuzzin Cont.
• Do we need to authenticate?
- What authentication protocol?
• Scoping your assessment
- You may only care about pre-auth
SPIKE
sami almashaqbeh 81
SPIKE
• SPIKE fuzzer released in 2002
- Written by Dave Aitel (Immunity Inc.)
• SPIKE is a genius
• SPIKE is a fuzzing framework/API
• Ability to describe data
• Built in libraries for known protocols (*RPC)
• Fuzz strings designed to make software fail
sami almashaqbeh 82
SPIK Cont.
• Simple Text Based Protocol Fuzzing
• ccepts a “script” of SPIKE commands
• Example: ./generic_send_tcp <IP> <PORT> script.spk 00
s_readline()
s_string_variable("USER");
s_string(" ");
s_string_variable("devel_user");
s_string(" ");
s_string_variable("PASS");
s_string(" ");
s_string_variable("secretpassword");
s_string("\r\n");
sami almashaqbeh 83
SPIKE’s Real Value
• Complex Protocols have length fields and data fields
• Tracking length fields while Fuzzing data is complicated
• SPIKE does this for you
• Block Based Protocol Representation
sami almashaqbeh 84
What is a SPIKE?
• “A SPIKE is a simple list of structures which contain block size
information and a queue of bytes.”
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);
sami almashaqbeh 85
What is a SPIKE Cont.
s_block_size_binary_bigendian_word(“somepacketdata”)͖
s_block_start(“somepacketdata”)
s_binary(“01020304”)͖
s_block_end(“somepacketdata”)͖
sami almashaqbeh 86
What is a SPIKE Cont.
s_block_size_binary_bigendian_word(“somepacketdata”)͖
s_block_start(“somepacketdata”)
s_binary(“01020304”)͖
s_block_end(“somepacketdata”)͖
sami almashaqbeh 87
What is a SPIKE Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);
sami almashaqbeh 88
What is a SPIKE Cont.
s_block_size_binary_bigendian_word(“somepacketdata”)͖
s_block_start(“somepacketdata”)
s_binary(“01020304”)͖
s_block_end(“somepacketdata”)͖
sami almashaqbeh 89
What is a SPIKE Cont.
s_block_size_binary_bigendian_word(“somepacketdata”)͖
s_block_start(“somepacketdata”)
s_binary(“01020304”)͖
s_block_end(“somepacketdata”)͖
Block 2 Block 1
Morepacketdata Somepacketdata
Big Endian word Big Endian word
Start Pointer: 1008 Start Pointer: 1000
sami almashaqbeh 90
Existing Challenges
• How to measure effectiveness of a fuzzer?
- Number of test cases?
- Number of bugs?
- Severity of bugs?
- % Code coverage?
• How many test cases to run?
- How to balance complexity vs. time constraints?
sami almashaqbeh 91
Another Spike Example (HTTP
• Consider the following HTTP Request:
POST /admin/login.php HTTP/1.1
Host: www.example.com
Connection: close
User-Agent: Mozilla/6.0
Content-Length: 29
Content-Type: application/x-www-form-encoded
user=admin&password=secret
sami almashaqbeh 92
Another Spike (HTTP Cont.
s_string("POST /admin/login.php HTTP/1.1\r\n");
s_string("Host: www.example.com\r\n);
s_string("Connection: close\r\n");
s_string("User-Agent: Mozilla/6.0\r\n");
s_string("Content-Length: ");
s_blocksize_string("post", 7);
s_string("\r\nContent-Type: application/x-www-form-encoded\r\n\r\n");
s_block_start("post_args");
s_string("user=");
s_string_variable(“admin");
s_string("&password=");
s_string_variable(“secret");
s_block_end("post");
sami almashaqbeh 93
Final Tip to Beginners
• OS: Windows XP first!
- Easy to debugging
- Almost every RE tool works on XP
- For example use Kali or BackTrack for developing tools
• Find bugs and debug/exploit them upon XP
• And port it for other versions of OS (Windows 7,8, etc)
• Virtualization Software (VMWARE, Virtualbox, etc) is
mandatory
• Use snapshots
• Your OS will be messed up by your Fuzzer
sami almashaqbeh 94
Language Again LOL
• Don’t listen to others
• Just choose one, whatever you like
• But if you still need a recommendation? Python is my answer
• Many hack libraries are written in python
• If you use C for fuzzing because you just want to feel you’re
l33t, you’re wrong!
• Realize what is your goal
sami almashaqbeh 95
SUMMARY
• Described what bug hunting means, and who's hunting nowadays
• What we mean by taking advantages of bugs
• What language to use to write an exploit
• Why there isn't a bug hunting formal process for vulnerability discovery
• Common Techniques for bug hunting
• What and why do we need a debugger and the most popular debuggers
• What's the difference between a debugger and a disassembler
• The difference between kernel vs user mode debugging
• Howto use a debugger such as Ollydbg
• Common ways of debugging
• Explained the different software execution breakpoints, and what are they
• Also explained Hardware Execution Breakpoints, and Conditional Breakpoints
• Talked about Exceptions, and what do we mean by First and Second Chance Exceptions
• Explained what do we mean by Fuzzing, and Fuzzing History
• Also talked about Fuzzing Methods, Types and the Fuzzing Process
• Talked about howto fuzz a protocol, and finally talked about SPIKE
sami almashaqbeh 99