Penetration Testing and Vulnerability Analysis

Mike Zusman explains fuzz testing, a special type of negative software testing.

• Fuzzing Defined (from Jared DeMott's BlackHat slides)

Homework

Your assignment for this section is the following:

1. Locate a stack overflow in an ActiveX control by fuzzing it.
   Choose your target machine carefully. If you run a clean and patched Windows box, you might have a harder time finding something exploitable. See if you can run your tools on someone else's machine - preferably a machine with a lot of garbage software installed on it. COMRaider will more easily find the low-hanging fruit - the basic stack smash - and you should probably run this tool first. If you find nothing, run other fuzzers like Dranzer, AxRub, or AxMan.
2. Determine the exploitability of the overflow by investigating the stack with a debugger.
   COMraider will show you debugger output in its own GUI. Double clicking on the exceptions will show a stack dump. AxMan will require use of an external debugger of your choosing. You get extra points if you use WinDBG and run the !exploitable plugin.
3. Reproduce the successful fuzz in a "Proof of Concept" that overwrites EIP with all A's.
   Even though COMraider might show EIP over written, we still want to see a stand-alone script that demonstrates the vulnerability in a web browser. Additionally, you should identify the vulnerable DLL on the machine and grab a copy of it. This will be important if you are not testing on your own machine - you will want to take the DLL with you for further testing. For more information on registering DLLs on a Windows box, check out the Regsvr32 documentation.

What to hand in: One DLL, a PoC that crashes the DLL, a screenshot of the crash in a debugger.

Goals

The goal of the assignment is to introduce you to fuzzing and client-side attacks, not to develop working exploits against ActiveX objects. To that end, make sure that your homework demonstrates that you:

• know how to operate a fuzzer (step 1)
• know how to identify a successful fuzz (step 2)
• know how to reproduce a successful fuzz (step 3)
• are comfortable working with client-side "stuff" (in this case, ActiveX)

That's it!

Walkthrough

If you want a simple walkthrough before starting the assignment or if you've tried the assignment and can't find a vulnerable ActiveX, you can register the ActiveX included in this zip file which I guarantee is loaded with exploitable vulnerabilities. To make things simple, just register it and then point COMRaider directly at it. The vulnerable function is foobar() and pretty much anything it accepts will generate a stack overflow. If you don't see "ACCESS VIOLATION", you're doing something wrong. If you see error messages saying "Cannot Create Object", you have not registered the DLL correctly.

If you're still having problems finding an ActiveX to fuzz, try some of these:

• ActiveX 1
• ActiveX 2
• ActiveX 3

Reading Material

• Information on ActiveX
• Fuzzing Software
• Registering COM DLL's
• Jared DeMott - The Evolving Art of Fuzzing (whitepaper) (slides)

Most people don't make customized fuzzers for each protocol or technology that they want to fuzz. Instead, there are a number of general-purpose fuzzers that let you easily define a protocol spec and fuzz arbitrary targets. Mike Zusman is going to go over the general-purpose fuzzer that everyone tries to live up to in this lecture: SPIKE.

VIDEO1

• Fuzzing 102 PDF

Homework

This week you will be writing your own fuzz module for any one of three general-purpose network fuzzers (SPIKE, Sulley installer or SVN, or Peach) to identify vulnerabilities in a custom network service. The network service requires a Java runtime (Java6 tested) and starts a listener on a specified port. If the service appears to halt, try pressing CTRL+C in its command window to get it going again. It's a bit unstable, sorry about that!

• fuzzme network service

Protocol Spec

Authentication

• USER <username>\r\n

Commands

• ls\r\n (no arguments)
• whoami (no arguments)
• cat <filename>\r\n

What to hand in

A fuzz module for the network service written using either SPIKE, Sulley, or Peach and documentation of any of the vulnerabilities you uncovered.

HINT: There are only 3 distinct vulnerabilities in the network service. I will grade this assignment more on whether it looks like you learned something and less on the completeness of your assessment of the vulnerabilities, IMHO it's very hard to find all 3.

Reading Material

• Ruxxer, Stephen Ridley and Colin Delaney
• Fuzzing, CCC 2005 - Ilja van Sprundel
• Advantages of Block-based Protocol Analysis for Security Testing - Dave Aitel
• Fuzzing Frameworks
• Security Testing, Testing Experience Magazine, June 2009

Notes about SPIKE

SPIKE is notoriously hard to compile and get working, so if you had to change something to make it work on your computer, post your instructions to the mailing list so everyone else can benefit.

Instructions for OSX

• In the makefile, remove:
  • ld -share -soname libdlrpc.so -o libdlrpc.o -lc dlrpc.o dlargs.o $(SPIKE_OBS)
• In the makefile, add:
  • ld -dynamic -flat_namespace -bundle -undefined suppress -o libdlrpc.so -lc -ldl dlrpc.o dlargs.o $(SPIKE_OBS)
• Change LD_LIBRARY_PATH to DYLD_LIBRARY_PATH
• Comment out -ldlrpc

Cygwin

Don't even try using SPIKE on Cygwin. If you somehow get it working, it's because you made considerable patches to SPIKE source files/build scripts which you should submit to me for extra credit.

If you insist using Windows/Cygwin, try Peach or Sulley as they are both written in Python and better supported on Windows.

Reading Material

• Using SPIKE
• SPIKE 2.9 - Better, faster, stronger - Dave Aitel
• Advantages of Block-based Protocol Analysis for Security Testing - Dave Aitel

Reading Material

• Sulley Manual
• Introducing Sulley, Black Hat USA 2007 - Pedram Amini, Aaron Portnoy
• Fuzzing Frameworks

Reading Material

• Installing Peach
• Tutorial: Network Server Fuzzing
• Developing Fuzzers with Peach 2.0