So I’ve written a couple of posts about some fuzzing methodologies, mods to tools, etc. Basically they kind of went over the fact that at the moment I’m into fuzzing compressed binary files like zip, cab, rar, etc. and my thoughts on how I’m going about doing it.
For the last little while I’ve been looking into decent ways to fuzz things like how to generate “smart” data sets to fuzz with and how to automate the fuzzing process along with decent ways to monitor and log exceptions/signals.
At this point, I pretty much have a system down. I’ve modified a few fuzzers like Autodafe and Filefuzz to get them to generate (at least what I think is) more meaningful test cases to fuzz with. So now the bulk of the time is usually spent in tearing apart binary file formats in order to perform intelligent block-based fuzzing (which isn’t usually that hard – one can usually find documentation and a breakdown of the format somewhere like wotsit.org or use templates from 010 editor or even in the docs of the program you’re fuzzing). It’s useful to do this for things like knowing where potential trouble areas would be – like a length field or generally breaking down the structures of a binary format for things like knowing when to perform a CRC32 checksum on a structure to get more code coverage in the binary when fuzzing so it doesn’t just fail a checksum and exit – things like that. A smaller portion of the time is pretty much just generating the files using some fuzzers then firing them off. Lastly – there is the fun part of looking over the results when any exceptions are logged / generated and confirming anything found (usually in a debugger).
So I’m thinking that it might be lucrative if I start looking into media format things. I’m thinking files like avi, bmp, tiff (one’s gotta have love for those iphone/safari tiff vulns. out there), pm3, jpg, png, wav, wmf, wmx, mpeg, mpa, midi, rmi, cda, ivf, divx, mov, rm, rts, qt, swf, etc. There are *tons* of different media formats out there and *tons* of different applications that open them (including media players, browsers, plug-ins, etc.).
As I’m going through the motions with this I’m thinking to myself “Self – it would be really cool if a few other cats were in on this – we could get a system going and just pump out a lot of tests, more testing = more potential bugs to be found.”
And so, finally the whole point to my post: if anyone is interested in helping out to find some 0-days it would be really cool. If anyone is interested but doesn’t have much experience with fuzzing (but is willing to learn how to do it) I will be totally down in explaining everything I know about it and where to find the material that I read to learn about it (so that whomever else is interested in learning about it can read it as well). If anyone else is interested in fuzzing stuff to find bugs and they have some experience then I’d really like to hear how they went about it – two (or more) heads are always better than one.
Like I said – I pretty much have a system down and some tools written – it would just be cool to have some extra hands and ideas in the mix.
Interested persons – just hit me up.
anautonomouszone [at] gmail [dot] com
Cheers,
Chuck B.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment