6119IX.qxp 5/23/2007 9:56 AM Page 519
Index
A process monitor, 403 abort signals, 100 Sulley sessions, 402-404 Accept header, 122 VMWare control, 403 Accept-Encoding header, 122 AIM (AOL Instant Messenger) protocol, 49-52 Accept-Language header, 122 logon credentials sent, 52 access server reply, 51 control, 29 username, 51 violation handler, 340-342 Aitel, Dave, 23 ActiveX controls, 284 algorithms Adobe Acrobat PDF control, 294-296 GAs, 431-435 fuzzer development, 287-289 CFG with connecting path, 433 heuristics, 298 CFG with exit nodes, 434 loadable controls, enumerating, 289-293 CFG with potential vulnerability, 433 monitoring, 299 fitness function, 432 properties, methods, parameters, and types, 293-297 reproduction function, 431 test cases, 298 Sidewinder, 433-434 history, 25 as stochastic global optimizers, 432 overview, 285-287 Needleman-Wunsch, 428 vulnerabilities, 273-275 Smith-Waterman local sequence alignment, 428 WinZip FileView, 298 Unweighted Pairwise Mean by Arithmetic adbg, 370 Averages, 429 address bar spoofing vulnerabilities, 281 alignment of sequences, 427 addresses amino acid sequence alignment, 427 reading, 476-478 antiparser, 354-356 writing to, 478-479 AOL Instant Messenger. See AIM protocol Adobe APIs Acrobat antiparser, 354-356 PDF control, 294-296 CreateProcess, 321 shell script workaround, 192 debugging APIs, 179 Macromedia Shockwave Flash file format. See SWF Windows debugging, 320-323, 332-333 agents apKeywords() data type, 355 fault detection, 233 Apple Macbook vulnerability, 228 network monitor, 402 application layer vulnerabilities, 230
519 6119IX.qxp 5/23/2007 9:56 AM Page 520
INDEX
application logs, fault detection, 233 B applications backdoor fuzzing limitations, 30 manually testing, 10 basic blocks service provider (ASP), 114 defined, 440 setuid, 37 start/stop points, 440 sweeping, 10 tracking, 444 web application fuzzers, 41 Beddoe, Marshall, 428 buffer overflow vulnerability, 130 BeginRead() method, 152 configuring, 118-119 BeginWrite() method, 151 exceptions, detecting, 135-136 beSTORM, 138, 508 heap overflow vulnerability, 129 binary auditing inputs. See web application fuzzers, inputs automated, 17-18 overview, 113-115 manual, 14-16 targets, 117-118 binary files (FileFuzz), 201 technologies, 115 binary protocols, 49-52 vulnerabilities, 132-135 binary visualization, 439-441 archiving utility vulnerabilities, 170 BinAudit, 18 argv module, 104-106 BindAdapter() function, 259 ASCII text files, 202 bioinformatics, 427-431 ASP (application service provider), 114 bits, 93, 385 ASP .Net, 116 bit_field class, 377 asynchronous sockets (WebFuzz), 150-153 black box testing, 9 attack heuristics, 353 fuzzing, 12 audits, saving, 204-205 manual, 10 authentication (weak), 133 pros/cons, 13-14 Autodafe[as], 369-371 tool (beSTORM), 138, 508 automation Blaster worm, 225 benefits, 73 blocks human computation power, 73 basic reproducibility, 74 defined, 440 binary testing, 17-18 start/stop points, 440 debugger monitoring, 481 tracking, 444 advanced example, 486-489 helpers, 395 architecture, 481 checksums, 396 basic example, 482-484 example, 397 PaiMei crash binning utility, 487-489 repeaters, 396 environment variable fuzzing sizers, 395-396 GDB method, 96-97 identifiers, 58 getenv function, 98 protocol library preloading, 98-99 modeling, 242 protocol dissection representation, 361-362 bioinformatics, 427-431 sizes, 58 genetic algorithms, 431-435 Sulley framework, 392 heuristic-based, 421-427 dependencies, 394-395 source code auditing tools, 7 encoders, 394 length calculation, 352 grouping, 392-393 protocol generation testing, 36 helpers, 395-397 white box testing, 6-8 BLOSUM (Blocks Substitution Matrix), 429 availability boundary value analysis (BVA), 21 black box testing, 13 BoundsChecker, 493 gray box testing, 18 bp_set() routine, 333 white box testing, 9 break command, 97 av_handler() routine, 483 BreakingPoint, 509 AWStats Remote Command Execution Vulnerability breakpoints website, 118 handler, 342 AxMan, 25, 275 hardware, 324
520 6119IX.qxp 5/23/2007 9:56 AM Page 521
INDEX
software, 324 exit nodes, 434 WS2_32.dll recv(), 336 potential vulnerability, 433 Brightstor backup software vulnerabilities, 424 CGI (Common Gateway Interface), 115 browser fuzzers, 41-42 character translations, 85 ActiveX controls, 287-289 character-delimited fields, 47 heuristics, 298 checksums loadable controls, enumerating, 289-293 as block helpers, 396 monitoring, 299 protocols, 58 properties, methods, parameters, and types, 293-297 child processes, forking off and tracing, 185-187 test cases, 298 choosing approaches, 269-271 fuzz values, 480-481 fault detection, 282 hook points, 331 heap overflows, 277-279 memory mutation locations, 331 history, 24 packet capture libraries, 256-257 inputs, 271 protocol fields, 47 ActiveX controls, 273-275 web application inputs, 119-121 client-side scripting, 276 cookies, 129 CSS, 275-276 headers, 128 Flash, 279 method, 123-125 HTML headers, 271 post data, 130 HTML tags, 271-273 protocol, 128 URLs, 280 request-URI, 126-128 XML tags, 273 CISC (Complex Instruction Set Computer) methods, 269, 275-276, 279-280 architecture, 438 Month of Browser Bugs, 268 class IDs (CLSIDs), 285 overview, 268 classes targets, 269 apKeywords(), 355 vulnerabilities, 280-282 bit_field, 377 brute force fuzzing PyDbg, 332-334, 340-345 file formats, 172-173 TcpClient, 148-149 network protocols, 231 clfuzz, 38 brute force testing, 36 clients btnRequest_Click() method, 153 Ethereal, 335 buffer overflows launching, 334 case study (Web applications), 158-160 client-side vulnerabilities, 223, 276, 280-282 vulnerabilities, 130 CLSIDs (class IDs), 285 web applications, 133 code web browsers, 281 coverage. See tracking BugScam, 17 reusability BVA (boundary value analysis), 21 frameworks, 354 byref() function, 318 Peach, 366 Code Red worm, 225 C Codenomicon, 41, 510-511 call graphs, 439 foundation, 23 callbacks HTTP test tools, 41, 138 access violation handler, 340-342 CodeSpy website, 7 breakpoint handler, 342 coding phase (SDLC), 501-502 registering, 401-402 COM (Component Object Model), 284 Cascading Style Sheet. See CSS ActiveX controls cc_hits database, 455-457 Adobe Acrobat PDF control, 294-296 CCR (Command Continuation Request) example, 78-79 fuzzer development. See ActiveX controls, fuzzer cc_tags database, 455 development CFGs(control-flow graphs), 433, 440-441 overview, 285-287 disassembled dead listing, 441 WinZip FileView, 298 GAs history, 284 connecting path, 433 interfaces, 284
521 6119IX.qxp 5/23/2007 9:56 AM Page 522
INDEX
objects, 284 CRC (Cyclic Redundancy Check) values, 353 Raider, 25, 42, 275 CREA command, 248 VARIANT data structure, 293 CreateFile() method, 299 Command Continuation Request (CCR) example, 78-79 CreateProcess() function, 203, 10, 203, 299, 321 command-line arguments, 89 create_string_buffer() function, 318 command-line fuzzers, 37-38 cross-domain restriction bypass vulnerabilities, 281 commands cross-site scripting (XSS), 132, 163-166 break, 97 CSRF (cross site request forgery), 134 CREA, 248 CSS (Cascading Style Sheet) commands, 97 CSSDIE fuzzer, 24, 42, 275-276 execution vulnerabilities, 281 vulnerabilities, 275-276 find, 93 CSSDIE, 24, 275, 42, 276 injection vulnerabilities, 87 ctypes module, 318 commands command, 97 Cyclic Redundancy Check (CRC) values, 353 commercial tools, 507 beSTORM, 138, 508 D BreakingPoint, 509 data Codenomicon, 41, 510-511 capture foundation, 23 networks, 251 HTTP test tools, 41, 138 ProtoFuzz design, 258-259 Holodeck, 514-515 PStalker, 454 Mu-4000, 512 exploration, 453 ProtoVer Professional, 512 generating Common Gateway Interface (CGI), 115 CCR example, 78-79 community involvement (frameworks), 43 character translations, 85 compile time checkers, 6 command injection, 87 Complex Instruction Set Computer (CISC) directory traversal, 86 architecture, 438 field delimiters, 83-84 complex protocols, 40 format strings, 85 complexity generators, 364 frameworks, 44 integer values, 79-81 gray box testing, 18 pseudo-random data, 353 in-memory fuzzing, 43 string repetitions, 82 white box testing, 9 SWF fuzzing test case, 384 Component Object Model. See COM link layer vulnerabilities, 228 Computer Associates’ Brightstor backup software packets, assembling, 250-251 vulnerabilities, 424 parsing Compuware DevPartner BoundsChecker, 493 networks, 251-252 configuring web applications, 118-119 ProtoFuzz design, 259-261 CONNECT method, 125 sources Connection header, 123 Dfuz, 358 connections PStalker, 452-453 dropped, 135 storage, 454-457 testing, 472 types ContineuDebugEvent() routine, 323 apKeywords(), 355 control-flow graphs. See CFGs block helpers, 395-397 Convert, 367 blocks, 392-395 Cookie header, 123 character translations, 85 cookies, 129 command injection, 87 coverage delimiters, 391 black box testing, 14 directory traversal, 86 gray box testing, 18 field delimiters, 83-84 white box testing, 9 format strings, 85 crash binning tool, 487-489 integers, 79-81, 390-391 crash locations, viewing, 405-406 legos, 398-399 crashbin_explorer.py tool, 405 passing, 318
522 6119IX.qxp 5/23/2007 9:56 AM Page 523
INDEX
smart data sets, 81 exception detection, 213-217 strings, 82, 391 files, creating, 210 Sulley framework, 388-390 source files, reading, 210-211 databases writing to files, 211 cc_hits, 455-457 logic, 30 cc_tags, 455 ProtoFuzz, 257, 262 DataRescue Interactive Disassembler Pro (IDA Pro), 439 data capture, 258-259 DBI (Dynamic Binary Instrumentation), 68, 491-493 fuzz variables, 261 DynamoRIO, 491 hexadecimal encoding/decoding, 262 error detection, 68 network adapters, 257-258 fault detection, 492 parsing data, 259-261 Pin, 492 SDLC, 500-501 tool development, 492 WebFuzz DCOM (Distributed COM), 284 asynchronous sockets, 150-153 DDE (Dynamic Data Exchange), 284 requests, generating, 153-155 dead listing, 441 responses, receiving, 155-156 debug event loops, 322-323 TcpClient class, 148-149 debug exception events, 323 detecting DebugActiveProcess() routine, 321 errors, 67-69 debuggers, 16 DBI platforms, 68 adbg, 370 debug clients, 67 automated monitoring, 481 ping checks, 67 advanced example, 486-489 exceptions architecture, 481 detection engines, 183 basic example, 482-484 FileFuzz, 203-204, 213-217 PaiMei crash binning utility, 487-489 faults DBI, 491-493 crash locations, viewing, 405-406 DynamoRIO, 491 DBI, 492 fault detection, 492 execution control, transferring, 475-476 Pin, 492 first-chance versus last-chance exceptions, 489-491 fault detection, 233 format string vulnerability, 477 GDB, 16 frameworks, 353 OllyDbg, 16, 335 graphical representation, 406 before/after demangle, 336 in-memory fuzzing, 311-312 conceptual diagram, 339 network protocol fuzzing, 232-233, 254 parse routine, 338 page faults, 474 restore point, 338 primitive, 472-474 WS2_32.dll recv() breakpoint, 336 reading addresses, 476-478 process information, 178 software memory corruption vulnerability web application fuzzing, 136 categories, 475 Web browser errors, 282 stack layout example, 477 WinDbg, 16 Web browsers, 282 debugging API (Windows), 320-323 writing to addresses, 478-479 process information, 179 file format fuzzing, 178-179 process instrumentation with PyDbg, 332-333 local fuzzing problems, 99-101 DebugSetProcessKillOnExit() routine, 321 web application exceptions, 135-136 DEBUG_EVENT structure, 323 developers, 503-504 decompilers, 16 development DELETE method, 124 ActiveX fuzzer, 287-289 delimiters (Sulley framework), 391 heuristics, 298 DeMott, Jared, 366 loadable controls, enumerating, 289-293 denial-of-service. See DoS attacks monitoring, 299 dependencies (blocks), 394-395 properties, methods, parameters, and types, 293-297 depth (process), 64-66 test cases, 298 design DBI tools, 492 FileFuzz environment integration of fuzzing, 516 applications, launching, 211-213
523 6119IX.qxp 5/23/2007 9:56 AM Page 524
INDEX
file format fuzzing DOM-Hanoi, 42 core fuzzing engine, 184-185 DoS (denial-of-service) attacks exception detection engine, 183 file formats, 175 exception reporting, 183-184 web applications, 132 forking off/tracing child processes, 185-187 web browsers, 280 interesting UNIX signals, 187 DownloadFile() method, 299 not interesting UNIX signals, 188 drivers, 255 FileFuzz, 209 Dynamic Binary Instrumentation. See DBI applications, launching, 211-213 Dynamic Data Exchange (DDE), 284 approach, 209 Dynamic HTML (DHTML), 24 design, 210-217 DynamoRIO DBI system, 491 exception detection, 213-217 files, creating, 210 E language, choosing, 210 ECMAScript, 276 source files, reading, 210-211 Eddington, Michael, 40 writing to files, 211 elements of protocols iFuzz, 105-107 block identifiers/sizes, 58 ProtoFuzz checksums, 58 design, 258-262 name–value pairs, 57 goals, 255 encoders (blocks), 394 packet capture library, choosing, 256-257 Enterprise Resource Planning (ERP), 117 programming language, 256 enumerating software development lifecycles. See SDLC environment variables tracking tool, 442-443 GDB method, 96-97 basic blocks, tracking, 444 getenv function, 98 cross-referencing, 447 library preloading, 98-99 instruction execution, tracing, 444-445 loadable ActiveX controls, 289-293 recordings, filtering, 446 environment variables, 38-39, 90-92 target profiling, 443-444 GDB method, 96-97 web application fuzzers getenv function, 98 approach, 148 library preloading, 98-99 asynchronous sockets, 150-153 ERP (Enterprise Resource Planning), 117 programming language, choosing, 148 error detection, 67-69 requests, generating, 153-155 DBI platforms, 68 responses, receiving, 155-156 debug clients, 67 TcpClient class, 148-149 ping checks, 67 DevInspect tool, 504 Ethereal client, server data capture, 335 Dfuz, 357-360 event logs data sources, 358 debugging,, 322-323 functions, 357-358 logs lists, declaring, 358 process information, 178 protocols, emulating, 359 web application fuzzing, 136 rule files, 359-360 Web browser errors, 282 variables, defining, 357 Evron, Gadi, 25 DHTML (Dynamic HTML), 24 Excel eBay vulnerability, 199 directory traversal exceptional elements, 510 case study, 156-157 exceptions Ipswitch Imail Web Calendaring, 157 debug exception events, 323 Trend Micro Control Manager, 156 detecting, 183, 203-204, 213-217 vulnerabilities, 86, 132 first-chance versus last-chance, 489-491 disassembled binaries, visualizing, 439-441 monitoring, 28 disassemblers, 15 reporting, 183-184 disassembly-level heuristics, 426-427 web applications, 135-136, 147 discussion board vulnerabilities, 117 Execute() method, 299 Distributed COM (DCOM), 284 executing documentation, 62 fuzz data, 28 DOM (Document Object Model), 285 instructions, 438. See also tracking execution control, transferring, 475-476
524 6119IX.qxp 5/23/2007 9:56 AM Page 525
INDEX
exit nodes (GAs), 434 notSPIKEfile exploitability, 28 features, 182 External Data Representation (XDR), 230 missing features, 182 programming language, 195 F RealPix format string vulnerability, 193-195 fault detection shell script workarounds, 192 crash locations, viewing, 405-406 ODF, 54 DBI, 492 Open XML, 54 execution control, transferring, 475-476 SPIKEfile first-chance versus last-chance exceptions, 489-491 features, 182 format string vulnerability, 477 missing features, 182 frameworks, 353 programming language, 195 graphical representation, 406 shell script workarounds, 192 in-memory fuzzing, 311-312 targets, 170-171, 205, 208-209 network protocol fuzzing, 232-233 Windows Explorer, 206-209 network protocol fuzzing, 254 Windows Registry, 209 page faults, 474 vulnerabilities primitive, 472-474 DoS, 175 reading addresses, 476-478 examples, 170 software memory corruption vulnerability format strings, 177 categories, 475 heap overflows, 177 stack layout example, 477 integer handling, 175-177 web browsers, 282 logic errors, 177 writing to addresses, 478-479 race conditions, 178 fencing memory allocation, 492 simple stack, 177 field delimiters, 83-84 Windows, 197-198 file format fuzzers, 39, 54-57 zombie processes, 189-191 benefits, 221 File Transfer Protocol (FTP), 48, 362-363 case study, 217-220 FileFuzz, 39 detection, 178-179 applications, launching, 203 development, 209 ASCII text files, 202 applications, launching, 211-213 audits, saving, 204-205 approach, 209 benefits, 221 core fuzzing engines, 184-185 binary files, 201 design, 210-217 case study, 217-220 exception detection, 183-184, 213-217 development, 209 files, creating, 210 applications, launching, 211-213 language, choosing, 210 approach, 209 source files, reading, 210-211 design, 210-217 writing to files, 211 exception detection, 213-217 FileFuzz files, creating, 210 applications, launching, 203 language, choosing, 210 ASCII text files, 202 source files, reading, 210-211 audits, saving, 204-205 writing to files, 211 binary files, 201 error detection, 67 exception detection, 203-204 exception detection, 203-204 features, 201 features, 201 goals, 200 future improvements, 221 forking off/tracing child processes, 185-187 goals, 200 future improvements, 221 files. See also file format fuzzers interesting UNIX signals, 187 fuzzing, 24 methods, 171-172 permissions, 95 brute force, 172-173 rule, 359-360 inputs, 174 SWF, 372 intelligent brute force, 173-174 bit_field class, 378 not interesting UNIX signals, 188 component relationships, 383
525 6119IX.qxp 5/23/2007 9:56 AM Page 526
INDEX
data generation, 384 PStalker module. See PStalker data structures, 374-377 SWF fuzzing, 385 dependent_bit_field class, 379 Peach, 364-366 environment, 385 code reusability, 366 header, 372-373 disadvantages, 366 MATRIX struct, 379-380 generators, 364 methods, 385 groups, 365 RECT/RGB structs, 378 publishers, 364 string primitives, 383 transformers, 364 SWF files, modeling, 374 PI, 428 tags, 374 programming languages, 352 tags, defining, 380-382 protocol modeling, 352 FilesAttributes tag (Flash), 374 pseudo-random data, generating, 353 filtering tracking recordings, 446 reusability, 43 find command, 93 SPIKE, 361-364 first-chance exceptions, 489-491 block-based protocol representation, 361-362 fixed length fields (protocols), 47 disadvantage, 363 Flash, 115, 279 FTP fuzzer, 362-363 flatten() routine, 378 Sulley, 386-387 Flawfinder website, 7 blocks, 392-397 forking off child processes, 185-187 data types, 388-390 format string vulnerabilities, 85, 106 delimiters, 391 example, 477 directory structure, 387-388 exploiting, 85 download website, 386 file formats, 177 environment, setting up, 413 RealPlayer RealPix format string, 193-195 features, 386 frameworks, 43-44 fuzzers, launching, 414-416 antiparser, 354-356 integers, 390-391 attack heuristics, 353 legos, 398-399 Autodafe[as], 369-371 postmortem phase, 405-409 automatic length calculation, 352 requests, building, 410-411 code reusability, 354 RPC endpoint walkthrough. See Sulley framework, community involvement, 43 RPC endpoint walkthrough complexity, 44 session, 399-404, 411-413 CRC values, 353 strings, 391 data parsing, 353 FTP (File Transfer Protocol), 48, 362-363 development time, 44 functions. See also routines Dfuz, 357-360 BindAdapter(), 259 data sources, 358 byref(), 318 functions, 357-358 CreateProcess(), 10, 203 lists, declaring, 358 create_string_buffer(), 318 protocols, emulating, 359 Dfuz, 357-358 rule files, 359-360 GetCurrentProcessId(), 318 variables, defining, 357 getenv, 98 fault detection, 353 printf(), 248 features, 352-353 ReadProcessMemory(), 318 fuzzing metrics, 353 ReceivePacket(), 259 GPF, 366-369 s_block_end(), 242, 392 limitations, 43 s_block_start(), 242, 392 overview, 352-354 taboo(), 475 PaiMei, 449 WriteProcessMemory(), 319 advanced target monitoring, 486-489 func_resolve() routine, 333 basic target monitoring, 482-484 future of fuzzing components, 450 development environment integration, 516 crash binning utility, 487-489 hybrid analysis of vulnerabilities, 515 PIDA interface, 450 fuzz_client.exe, 334-346
526 6119IX.qxp 5/23/2007 9:56 AM Page 527
INDEX
fuzz_server.exe, 334 pseudo-random data, 353 conceptual diagram, 339 SWF fuzzing test case, 384 launching, 345 generation-based fuzzers, 22, 231 memory allocation, 344-345 generators, 364 OllyDbg, 336-338 generic line-based TCP fuzzer, 240-243 restore point, 335 generic script-based fuzzers, 244 snapshot, 335, 343 genetic algorithms. See GAs WS2_32.dll recv() breakpoint, 336 GET method, 123 fuzz_trend_server_protect_5168.py, 414-416 GetCurrentProcessId() function, 318 fuzz values, choosing, 480-481 getenv function, 98 fuzzer stepping, 473 GetFuncDesc() routine, 296 fuzzing GetNames() routine, 295 as black box testing, 12 getopt module, 104, 107 defined, 21 getPayload() routine, 356 history, 22-27 GetThreadContext() API, 327 ActiveX, 25 GetTypeInfoCount() routine, 294 Codenomicon, 23 GetURL() method, 299 files, 24 Gizmo Project case study Miller, Professor Barton, 22 data sources, 462 PROTOS test suites, 23 execution, monitoring, 464-465 sharefuzz, 24 features list, 457 SPIKE, 23 results, 465 limitations SIP access control, 29 packets, testing, 458-461 backdoors, 30 processing code, 462 design logic, 30 strategy, 458-461 memory corruption, 31 tags, choosing, 462 multistage vulnerabilities, 32 tracking capture options, 462-463 phases, 27-29 GNU debugger (GDB), 16, 96-97 Fuzzing mailing list, 25 Gosling, James, 116 fuzzing metrics, 353 GPF (General Purpose Fuzzer), 366-369 graphs G call graphs, 439 GAs (genetic algorithms), 431-435 CFGs, 440-441 CFG disassembled dead listing, 441 connecting path, 433 GAs, 433-434 exit nodes, 434 example SMTP session, 399-401 potential vulnerability, 433 Sulley crash bin graphical representation, 406 fitness function, 432 gray box testing, 14 reproduction function, 431 binary auditing Sidewinder tool, 433-434 automated, 17-18 as stochastic global optimizers, 432 manual, 14-16 GDB (GNU debugger), 16, 96-97 pros/cons, 18 GDI+ buffer overflow vulnerability, 198, 217-220 Greene, Adam, 38 General Purpose Fuzzer (GPF), 366-369 groups generating data blocks, 392-393 CCR example, 78-79 Peach framework, 365 data types character translations, 85 H command injection, 87 Hamachi, 24, 42 directory traversal, 86 handler_bp() routine, 333 field delimiters, 83-84 hardware breakpoints, 324 format strings, 85 HEAD method, 124 integer values, 79-81 headers string repetitions, 82 Accept, 122 generators, 364 Accept-Encoding, 122
527 6119IX.qxp 5/23/2007 9:56 AM Page 528
INDEX
Accept-Language, 122 status codes, 146 Connection, 123 tag vulnerabilities, 271-273 Cookie, 123 HTTP (Hypertext Transfer Protocol) Host, 122 field delimiters, 83 HTML, 271 methods, 133 HTTP protocol, 122 protocol, 122 SWF, 372-373 requests, identifying, 144 User-Agent, 122 response splitting, 134 web applications input, 128 status codes, 135 heap overflow vulnerabilities, 129 human computation power, 73 browsers, 277-279 hybrid analysis of vulnerabilities, 515 file formats, 177 Hypertext Preprocessor (PHP), 115 Heller, Thomas, 318 heuristics, 79 I ActiveX, 298 IAcroAXDocShim interface, 295 attack, 353 IBM character translations, 85 AIX 5.3 local vulnerabilities, 110 command injection, 87 Rational Purify, 492 directory traversal, 86 ICMP, dissecting, 429-430 field delimiters, 83-84 IDA (Interactive Disassembler), 15 format strings, 85 IDA Pro (DataRescue Interactive Disassembler), 439 integer values, 79-81 IDE (integrated development environment), 503 protocol dissection, 421 IETF (Internet Engineering Task Force), 54 disassembly-level, 426-427 iFuzz, 38 hierarchical breakdown, 424 case study, 110-111 improved analysis, 425-426 development approach, 105-107 proxy fuzzing, 422-423 features, 103-105 string repetition, 82 fork, execute, and wait approach, 107 Hewlett-Packard Mercury LoadRunner vulnerability, 263 fork, ptrace/execute, and wait/ptrace hexadecimal encoding/decoding, 262 approach, 108-109 hierarchy getopt hooker, 105 protocols, 424 language, 109 Sulley directory structure, 387-388 modules, 104 history argv, 104-106 COM, 284 getopt, 104, 107 fuzzing, 22-27 preloadable getenv fuzzer, 105 ActiveX, 25 single-option/multi-option, 104, 107 Codenomicon, 23 postdevelopment observations, 111-112 files, 24 IIDs (interface IDs), 285 Miller, Professor Barton, 22 improperly supported HTTP methods, 133 PROTOS test suites, 23 in-memory fuzzers, 42-43 sharefuzz, 24 advantages, 42, 302 SPIKE, 23 complexity, 43 Samba, 420 control flow diagram example, 306 Hoglund, Greg, 312 example Holodeck, 514-515 access violation handler, 340-342 hook points, 331 breakpoint handler, 342 hooking processes, 324-327 client, launching, 334 context modifications, 327 conceptual diagram, 339 EIP, adjusting, 326 data mutation, 343 INT3 opcode, writing, 324 fuzz_client, launching, 346 original bytes at breakpoint address, saving, 324 fuzz_server memory allocation, 344-345 software breakpoint, catching, 325 fuzz_server snapshot, 343 Host header, 122 fuzz_server, launching, 345 HTML (Hypertext Markup Language) false positives, 43 header vulnerabilities, 271 fault detection, 311-312
528 6119IX.qxp 5/23/2007 9:56 AM Page 529
INDEX
hook points, choosing, 331 integers language, choosing, 317-319 handling vulnerabilities, 175-177 memory mutation locations, choosing, 331 Sulley framework, 390-391 methods values, 79-81 mutation loop insertion, 308-309, 316 integrated development environment (IDE), 503 snapshot restoration mutation, 309-310, 316 intelligence overview, 302-307 black box testing, 14 process depth, 310-311 brute force fuzzing process hooking, 324-327 file formats, 173-174 context modifications, 327 network protocols, 231 EIP, adjusting, 326 fault detection INT3 opcode, writing, 324 first-chance versus last-chance exceptions, 489-491 original bytes at breakpoint address, saving, 324 page faults, 474 software breakpoint, catching, 325 software memory corruption vulnerability cate- process snapshots/restores, 327-331 gories, 475-479 memory block contents, saving, 329-330 load monitoring, 182 thread context, saving, 328-329 Interactive Disassembler (IDA), 15 reproduction, 43 interface IDs (IIDs), 285 required feature sets, 316-317 interfaces restore point, 335 COM, 284 speed, testing, 310-311 IAcroAXDocShim, 295 shortcuts, 42 IObjectSafety, 292 snapshot point, 335 PIDA, 450 speed, 42 Sulley Web monitoring, 404 targets, 307-308 Internet protocols, 46 WS2_32.dll recv() breakpoint, 336 Internet Engineering Task Force (IETF), 54 implementing with PyDbg, 340-345 IObjectSafety interface, 292 obfuscation method, 335 Ipswitch OllyDbg, 336-338 I-Mail server data capture, 335 vulnerability, 420 server, launching, 334 Web Calendaring directory traversal, 157 inputs Whatsup Professional SQL injection attack, 118, file format fuzzing, 174 160-162 identifying, 27 ITS4 download website, 7 web applications choosing, 119-121 J cookies, 129 Java, 116 headers, 128 JavaScript, 116 identifying, 130-131 Jlint website, 7 method, 123-125 post data, 130 K protocol, 128 kill bitting, 292 request-URI, 126-128 L web browser fuzzing languages (programming) ActiveX controls, 273-275 choosing, 77 client-side scripting, 276 ECMAScript, 276 CSS, 275-276 FileFuzz, 210 Flash, 279 frameworks, 352 HTML headers, 271 iFuzz, 109 HTML tags, 271-273 in-memory fuzzing, 317-319 URLs, 280 ProtoFuzz, 256 XML tags, 273 Python. See Python Inspector, 18, 312 SPIKEfile/notSPIKEfile tools, 195 instructions, tracing, 444-445. See also tracking WebFuzz, 148 INT3 opcode, writing, 324 last-chance exceptions, 489-491
529 6119IX.qxp 5/23/2007 9:56 AM Page 530
INDEX
Layer 2 vulnerabilities, 228 fork, ptrace/execute, and wait/ptrace Layer 3 vulnerabilities, 229 approach, 108-109 Layer 4 vulnerabilities, 229 getopt hooker, 105 Layer 5 vulnerabilities, 229 language, 109 Layer 6 vulnerabilities, 230 modules, 104-106 Layer 7 vulnerabilities, 230 postdevelopment observations, 111-112 legos, 398-399 preloadable getenv fuzzer, 105 libdasm library, 75 methods, 95 libdisasm library, 75 principles, 92 Libnet library, 76 problems, detecting, 99-101 LibPCAP library, 76 ptrace method, 100 libraries su application example, 92 data types, including targets, 93-95 character translations, 85 log files command injection, 87 analysis vulnerabilities, 118 directory traversal, 86 web application fuzzing, 136 field delimiters, 83-84 logic error vulnerabilities, 177 format strings, 85 LogiScan, 17 integer values, 79-81 loops, debug event, 322-323 string repetitions, 82 libdasm, 75 M libdisasm, 75 Macbook vulnerability, 228 Libnet, 76 Macromedia Flash, 115, 279 LibPCAP, 76 Macromedia Shockwave Flash. See SWF Metro Packet Library, 76 malformed arguments, 37 packet capture, 256-257 mangleme, 24, 42 PaiMei, 299 manual testing preloading, 98-99 applications, 10 PyDbg, 445-446 protocol mutation, 35 SIPPhoneAPI, 462 RCE, 14-16 vulnerable web applications, 134 Matasano’s Protocol Debugger, 423 WinPcap, 256 MATRIX struct, 379-380 limitations media server vulnerability, 226 frameworks, 43 memory fuzzing allocating, 344-345, 492 access control, 29 block contents, saving, 329-330 backdoors, 30 corruption, 31 design logic, 30 in-memory fuzzing memory corruption, 31 benefits, 302 multistage vulnerabilities, 32 control flow diagram example, 306 resource constraints, 69 example. See in-memory fuzzers, example PStalker, 454 fault detection, 311-312 LoadTypeLib() routine, 294 hook points, choosing, 331 local fuzzers, 37 language, choosing, 317-319 abort signals, 100 memory mutation locations, choosing, 331 command-line, 37-38, 89 mutation loop insertion, 308-309, 316 environment variable, 38-39, 90-92 overview, 302, 306-307 GDB method, 96-97 process depth, 310-311 getenv function, 98 process hooking, 324-327 library preloading, 98-99 process snapshots/restores, 327-331 file format, 39 required feature sets, 316-317 iFuzz snapshot restoration mutation, 309-310, 316 case study, 110-111 speed, testing, 310-311 development approach, 105-107 targets, 307-308 features, 103-105 mutable blocks, creating, 318 fork, execute, and wait approach, 107 mutation locations, choosing, 331
530 6119IX.qxp 5/23/2007 9:56 AM Page 531
INDEX
process memory reading/writing, 318-319 COM. See COM protection attributes, 303 fuzzing, 13 software memory corruption vulnerabilities, 475 NDIS protocol driver, 255 execution control, transferring, 475-476 Open XML format, 54 reading addresses, 476-478 Remote Procedure Call (MSRPC), 40 writing to addresses, 478-479 Samba, 420 Windows memory model, 302-306 security, 498-499 metadata test case, 179 source code leak, 5 method input (web applications), 123-125 vulnerabilities methods. See also functions; routines Excel eBay vulnerability, 199 ActiveX, 293-297 GDI+ buffer overflow, 198, 217-220 automatic protocol generation testing, 36 Outlook Express NNTP vulnerability BeginRead(), 152 discovery, 447-449 BeginWrite(), 151 Outlook Web Access Cross-Site Scripting, 117 brute force testing, 36 PNG, 199 btnRequest_Click(), 153 WMF, 199 CONNECT, 125 Windows CreateFile(), 299 Live/Office Live, 114 CreateProcess(), 299 memory model, 302-306 DELETE, 124 worms, 224-226 DownloadFile(), 299 Miller, Professor Barton, 22 Execute(), 299 MLI (mutation loop insertion), 308-309, 316 file format fuzzing, 171-174 MMalloc() routine, 81 brute force, 172-173 MoBB (Month of Browser Bugs), 268 inputs, 174 modified client mutation fuzzing, 232 intelligent brute force, 173-174 modules GET, 123 ctypes, 318 GetURL(), 299 iFuzz, 104-107 HEAD, 124 monitoring HTTP, 133 ActiveX fuzzer, 299 in-memory fuzzing automated debugger, 481 mutation loop insertion, 308-309, 316 advanced example, 486-489 process depth, 310-311 architecture, 481 snapshot restoration mutation, 309-310, 316 basic example, 482-484 local fuzzing, 95 PaiMei crash binning utility, 487-489 manual protocol mutation testing, 35 exceptions, 28 network protocol fuzzing, 230 instruction execution. See tracking brute force, 231 network vulnerabilities, 118 generation-based, 231 Month of Browser Bugs (MoBB), 268 intelligent brute force, 231 Moore, H.D., 24-25, 42 modified client mutation, 232 MSRPC (Microsoft Remote Procedure Call), 40 mutation-based, 231 Mu Security, 25 OnReadComplete(), 152 Mu-4000, 512 OPTIONS, 125 multi-option module (iFuzz), 104, 107 POST, 124 Multiple Vendor Cacti Remote File Inclusion Vulnerability pregenerated test cases, 34 website, 118 ptrace, 100 multistage vulnerabilities, 32 PUT, 124 Murphy, Matt, 24 random, 34 mutable memory blocks, creating, 318 SWF fuzzing, 385 mutation loop insertion (MLI), 309, 308-309, 316 TRACE, 124 mutation-based fuzzers, 22, 231 web browser fuzzing, 269 approaches, 269-271 N inputs, 275-280 name–value pairs, 57 Metro Packet Library, 76 naming schemes, 439 Microsoft NDIS (Network Driver Interface Specification) protocol driver, 255
531 6119IX.qxp 5/23/2007 9:56 AM Page 532
INDEX
Needleman-Wunsch algorithm, 428 NW (Needleman-Wunsch) algorithm, 428 Netcat, 49 NX (nonexecutable) page permissions, 476 NetMail Networked Messaging Application Protocol. See NMAP O Network Driver Interface Specification (NDIS) protocol OASIS (Organization for the Advancement of Structured driver, 255 Information Standards), 54 Network News Transfer Protocol (NNTP), 447 ODF (OpenDocument format), 54 networks Office Live, 114 adapters, 257-258 OLE (Object Linking and Embedding), 284 client-side vulnerabilities, 223 OllyDbg, 16, 335 layer vulnerabilities, 229 before/after demangle, 336 monitoring, 118, 402 conceptual diagram, 339 protocol fuzzers, 40 parse routine, 338 complex protocols, 40 restore point, 338 defined, 224 WS2_32.dll recv() breakpoint, 336 fault detection, 232-233, 254 OnReadComplete() method, 152 methods, 230-232 Open Document format (ODF), 54 protocol drivers, 255 open protocols, 54 ProtoFuzz. See ProtoFuzz open source disassemble libraries, 75 requirements, 250-253 Open System for Communication in Realtime simple protocols, 40 (OSCAR), 49 server-side vulnerabilities, 223 open XML format, 54 socket communication component, 224 OpenSSH Remote Challenge vulnerability, 226 targets, 226-230 operating system logs, fault detection, 233 application layer, 230 OPTIONS method, 125 categories, 226 Organization for the Advancement of Structured data link layer, 228 Information Standards (OASIS), 54 network layer, 229 OSCAR (Open System for Communication in presentation layer, 230 Realtime), 49 session layer, 229 Outlook Express NNTP vulnerability discovery, 447-449 transport layer, 229 Overflow fuzz variable, 142 vulnerabilities, 226 overflows (stack), 246 UNIX systems, 236 OWASP (WebScarab), 41 SPIKE NMAP fuzzer script, 244-248 targets, 236-237 P Windows. See ProtoFuzz packets NMAP (NetMail Networked Messaging Application assembling, 250-251 Protocol), 236 capture libraries, choosing, 256-257 overview, 237-240 page faults, 474 SPIKE NMAP fuzzer script, 245-248 PAGE_EXECUTE attribute, 303 NNTP (Network News Transfer Protocol), 447 PAGE_EXECUTE_READ attribute, 303 nonalphanumeric characters, 83-84 PAGE_EXECUTE_READWRITE attribute, 303 nonexecutable (NX) page permissions, 476 PAGE_NOACCESS attribute, 304 notSPIKEfile, 39 PAGE_READONLY attribute, 304 core fuzzing engine, 184-185 PAGE_READWRITE attribute, 304 exception handling, 183-184 PaiMei framework features, 182 ActiveX fuzzer, 299 forking off/tracing child processes, 185-187 crash binning utility, 487-489 interesting UNIX signals, 187 SWF fuzzing, 385 missing features, 182 target monitoring not interesting UNIX signals, 188 advanced example, 486-489 programming language, 195 basic example, 482-484 RealPix format string vulnerability, 193-195 PAIMEfilefuzz, 39 shell script workarounds, 192 PAIMEIpstalker. See PStalker zombie processes, 189-191 PAM (Percent Accepted Mutation), 429 Novell NetMail IMAPD Command Continuation Request parameters (ActiveX), 293-297 Heap Overflow security advisory, 81 parse() routine, 306
532 6119IX.qxp 5/23/2007 9:56 AM Page 533
INDEX
parsing EIP, adjusting, 326 data INT3 opcode, writing, 324 networks, 251-252 original bytes at breakpoint address, saving, 324 ProtoFuzz design, 259-261 points, choosing, 331 framework features, 353 software breakpoint, catching, 325 passing data types, 318 memory Pattern Fuzz (PF), 368 reading, 318 PDB (Protocol Debugger), 423 writing, 319 PDML2AD, 371 monitor agent, 403 Peach framework, 40, 364-366 snapshots/restores code reusability, 366 handling, 327-331 disadvantages, 366 memory block contents, saving, 329-330 generators, 364 thread context, saving, 328-329 groups, 365 state, 64-66 publishers, 364 zombie, 189-191 transformers, 364 process_restore() routine, 345 Percent Accepted Mutation (PAM), 429 process_snapshot() routine, 343 performance profiling targets, 443-444 degradation, 147 ProgIDs (program IDs), 285 monitors, Web browser errors, 282 programming languages PF (Pattern Fuzz), 368 choosing, 77 phases of fuzzing, 29 ECMAScript, 276 exceptions, monitoring, 28 FileFuzz, 210 exploitability, 28 frameworks, 352 fuzz data, executing/generating, 28 iFuzz, 109 inputs, identifying, 27 in-memory fuzzing, 317-319 targets, identifying, 27 ProtoFuzz, 256 phishing vulnerabilities, 281 Python. See Python PHP (Hypertext Preprocessor), 115 SPIKEfile/notSPIKEfile tools, 195 phpBB Group phpBB Arbitrary File Disclosure WebFuzz, 148 Vulnerability website, 117 properties (ActiveX), 293-297 PI (Protocol Informatics), 428 proprietary protocols, 54, 421 PIDA interface, 450 Protocol Debugger (PDB), 423 Pierce, Cody, 39 Protocol Informatics (PI), 428 Pin DBI system, 492 protocol-specific fuzz scripts, 244 pinging, error detection, 67 protocol-specific fuzzers (SPIKE), 243 plain text protocols, 48-49 protocols PNG (Portable Network Graphics) vulnerability, 199 AIM, 49-52 post data, web applications input, 130 logon credentials sent, 52 POST method, 124 server reply, 51 postmortem phase (Sulley), 405-409 username, 51 crash bin graphical exploration, 406 automated dissection crash locations, viewing, 405-406 bioinformatics, 427-431 precompile security solution, 480 genetic algorithms, 431-435 pregenerated test cases, 34 heuristic-based, 421-427 preloading libraries, 98-99 binary, 49-52 presentation layer vulnerabilities, 230 block-based representation, 361-362 primitive fault detection, 472-474 complex, 40 principles of local fuzzing, 92 defined, 46 printf() function, 248 documentation, 421 Process Stalker. See PStalker drivers, 255 processes elements child, forking off and tracing, 185-187 block identifiers, 58 depth, 64-66 block sizes, 58 hooking, 324-327 checksums, 58 context modifications, 327 name–value pairs, 57
533 6119IX.qxp 5/23/2007 9:56 AM Page 534
INDEX
emulating with Dfuz, 359 fuzz variables, 261 fields, 46-48 hexadecimal encoding/decoding, 262 FTP, 48 network adapters, 257-258 fuzzing, 419-421 parsing data, 259-261 hierarchical breakdown, 424 disadvantages, 264-265 HTTP, 122 fuzz variables, 253 ICMP, 429-430 goals, 255 Internet, 46 NDIS protocol driver, 255 modeling, 352 packets network fuzzers, 40, 53-54 assembling, 250-251 application layer vulnerabilities, 230 capture library, choosing, 256-257 complex protocols, 40 parsing data, 251-252 data capture, 251 programming language, 256 data link layer vulnerabilities, 228 sending data, 253 defined, 224 PROTOS, 23, 458-460, 510 fault detection, 232-233, 254 ProtoVer Professional, 512 fuzz variables, 253 proxy fuzzing, 422-423 methods, 230-231 ProxyFuzzer, 422-424 modified client mutation, 232 pseudo-random data generation, 353 network layer vulnerabilities, 229 PStalker packet assembling, 250-251 data parsing data, 251-252 capture, 454 presentation layer vulnerabilities, 230 exploration, 453 protocol drivers, 255 sources, 452-453 ProtoFuzz. See ProtoFuzz storage, 454-457 sending data, 253 Gizmo Project case study session layer vulnerabilities, 229 data sources, 462 simple protocols, 40 execution, monitoring, 464-465 socket communication component, 224 features list, 457 targets, 226-230 results, 465 transport layer vulnerabilities, 229 SIP packets, testing, 458-461 UNIX systems, 236-237, 244-247 SIP processing code, 462 Windows systems. See ProtoFuzz strategy, 458-461 NMAP, 236 tags, choosing, 462 overview, 237-240 tracking capture options, 462-463 SPIKE NMAP fuzzer script, 244-247 layout overview, 451-452 NNTP, 447 limitations, 454 open, 54 ptrace method, 76, 100 overview, 45 PTRACE_TRACEMENT request, 187 plain text, 48-49 PureFuzz, 367 proprietary, 54, 421 PUT method, 124 simple, 40 PyDbg class, 332-334 SIP in-memory fuzzer implementation, 340-345 processing code, 462 single stepper tracking tool implementation, 445-446 testing, 458-461 Python testing ctypes module, 318 automatic protocol generation testing, 36 extensions, 77 manual protocol mutation testing, 35 interfacing with COM, 287 third-party, 421 PaiMei framework, 449 TLV style syntax, 352 advanced target monitoring, 486-489 web applications input, 128 basic target monitoring, 482-484 ProtoFuzz components, 450 case study, 262-264 crash binning utility, 487-489 data capture, 251 PIDA interface, 450 design, 257, 262 PStalker module. See PStalker data capture, 258-259 SWF fuzzing, 385 Protocol Informatics (PI), 428
534 6119IX.qxp 5/23/2007 9:56 AM Page 535
INDEX
PyDbg class, 332, 334, 332 Requests for Comment (RFCs), 54 in-memory fuzzer implementation, 340-345 researches single stepper tracking tool QA, 504 implementation, 445-446 security, 504-505 PythonWin COM browser, 288 resource constraints, 69 PythonWin type library browser, 288 responses error messages, 146-147 Q user input, 147 QA Researchers, 504 Web application fuzzing, 143 WebFuzz, 155-156 R restores race condition vulnerabilities, 178 points Raff, Aviv, 24, 42 fuzz_server.exe, 335 random fuzzing, 367 OllyDbg, 338 random primitives, 389-390 processes random testing, 34 handling, 327-331 randomize() routine, 378 memory block contents, saving, 329-330 Rational Purify, 492 thread context, saving, 328-329 RATS (Rough Auditing Tool for Security), 7-8 return codes, 179 RCE (reverse code engineering), binary auditing reusability, 43, 62-64 automated, 17-18 reverse code engineering (RCE), 14 manual, 14-16 reverse engineering frameworks (PaiMei), 449-450. reading See also PStalker addresses, 476-478 RFCs (Requests for Comment), 54 process memory, 318 RGB struct, 378 ReadProcessMemory() function, 318 RISC (Reduced Instruction Set Computer) RealPlayer architecture, 438 RealPix format string vulnerability, 193-195 Rough Auditing Tool for Security (RATS), 8 shell script workaround, 192 routines. See also functions; methods RealServer ../ DESCRIBE vulnerability, 226 ap.getPayload(), 356 ReceivePacket() function, 259 av_handler(), 483 recordings (tracking), filtering, 446 bp_set(), 333 record_crash() routine, 483, 487 ContinueDebugEvent(), 323 RECT struct, 378 DebugActiveProcess(), 321 Reduced Instruction Set Computer (RISC) DebugSetProcessKillOnExit(), 321 architecture, 438 flatten(), 378 registering callbacks, 401-402 func_resolve(), 333 remote access services vulnerability, 226 GetFuncDesc(), 296 remote code injection, 134 GetNames(), 295 remote fuzzers, 39 GetThreadContext(), 327 network protocol, 40 GetTypeInfoCount(), 294 web application, 41 handler_bp(), 333 web browser, 41-42 LoadTypeLib(), 294 repeaters as block helpers, 396 MMalloc(), 81 reporting exceptions, 183-184 parse(), 306 reproducibility, 62 process_restore(), 345 black box testing, 13 process_snapshot(), 343 value of automation, 74 randomize(), 378 reproduction, in-memory fuzzing, 43 record_crash(), 483, 487 request-URI input (web applications), 126-128 s_checksum(), 396 requests self.push(), 398 HTTP, 144 setMaxSize(), 356 PTRACE_TRACEME, 187 setMode(), 356 Sulley, 410-411 SetThreadContext(), 327 timeouts, 147 set_callback(), 333 Web application fuzzing, 140-141 smart(), 378 WebFuzz, 153-155
535 6119IX.qxp 5/23/2007 9:56 AM Page 536
INDEX
s_repeat(), 396 servers sscanf(), 427 data capture example, 335 s_sizer(), 395 launching, 334 strcpy(), 5 media vulnerability, 226 syslog(), 478 Microsoft worms vulnerabilities, 224-226 Thread32First(), 328 sessions to_binary(), 378 layer vulnerabilities, 229 to_decimal, 378 Sulley framework, 399 unmarshal(), 306 callbacks, registering, 401-402 VirtualQueryEx(), 329 creating, 411-413 write_process_memory(), 344 instantiating, 401 xmlComposeString(), 407 linking requests into graphs, 399-401 Royce, Winston. See waterfall model targets and agents, 402-404 RPC DCOM Buffer Overflow vulnerability, 226 Web monitoring interface, 404 RPC-based services vulnerabilities, 226 setgid bits, 93 rule files (Dfuz), 359-360 setMaxSize() routine, 356 setMode() routine, 356 S SetThreadContext() API, 327 Samba, 420 setuid applications, 37 SAP Web Application Server sap-exiturl Header HTTP setuid bits, 93 Response Splitting website, 117 set_callback() routine, 333 saving SGML (Standardized General Markup Language), 273 audits, 204-205 Sharefuzz, 24, 38 memory block contents, 329-330 Shockwave Flash. See SWF original bytes at breakpoint address, 324 Sidewinder (GAs), 433-434 test case metadata, 179 SIGABRT signal, 188 thread context, 328-329 SIGALRM signal, 188 s_block_end() function, 242, 392 SIGBUS signal, 188 s_block_start() function, 242, 392 SIGCHLD signal, 188 s_checksum() routine, 396 SIGFPE signal, 188 scripts SIGILL signal, 188 client-side scripting vulnerabilities, 276 SIGKILL signal, 188 protocol-specific fuzz, 244 signals SPIKE NMAP fuzzer, 244-248 handlers, 31 XSS scripting case study, 163-166 UNIX, 187-188 SDL (Security Development Lifecycle), 498 SIGSEGV signal, 31, 188 SDLC (software development lifecycle), 69 SIGSYS signal, 188 Microsoft SDL, 498 SIGTERM signal, 188 security, 69 simple protocols, 40 waterfall model, 499 simple stack vulnerabilities, 177 analysis, 500 Simple Web Server buffer overflow, 159 coding, 501-502 single-option modules (iFuzz), 104, 107 design, 500-501 SIP maintenance, 502-503 processing code, 462 testing, 502 testing, 458-461 secure shell (SSH) servers, 64 SIPPhoneAPI library, 462 security sizers as block helpers, 395-396 development lifecycle, 498 Slammer worm, 225 Microsoft, 499 smart data sets, 81 researchers, 504-505 smart() routine, 378 software development lifecycle. See SDLC Smith-Waterman (SW) local sequence alignment zone vulnerabilities, 281 algorithm, 428 SecurityReview, 18 snapshots SEH (Structured Exception Handler), 484 fuzz_server.exe, 343 self.push() routine, 398 points, 335 sequences, aligning, 427
536 6119IX.qxp 5/23/2007 9:56 AM Page 537
INDEX
processes stacks handling, 328-331 fault detection example, 477 memory block contents, saving, 329-330 overflow vulnerabilities thread context, saving, 328-329 Hewlett-Packard Mercury LoadRunner, 263 restoration mutation (SRM), 309-310, 316 NMAP protocol, 246 socket communication, 224 unwinding, 485 software Standardized General Markup Language (SGML), 273 breakpoints, 324 start points (basic blocks), 440 development lifecycles. See SDLC state (process), 64-66 memory corruption vulnerabilities, 475 static primitives, 389-390 execution control, transferring, 475-476 stepping, 473 reading addresses, 476-478 stop points (basic blocks), 440 writing to addresses, 478-479 storage (data), 455-457 source code strcpy() routine, 5 browsers, 7 strings white box testing analysis, 4-9 format, 85 SPI Dynamics, 41 file format vulnerabilities, 177 SPI Dynamics Free Bank application vulnerability, 163- RealPlayer RealPix format string vulnerability, 193- 164 195 SPI Fuzzer, 41, 138 vulnerabilities, 85, 477 SPIKE, 23, 40, 361-364 primitives, 383 block-based protocol repetitions, 82 modeling, 242 Sulley framework, 391 representation, 361-362 Structured Exception Handler (SEH), 484 disadvantage, 363 su application example, 92 FTP fuzzer, 362-363 Sulley framework, 386-387 fuzz engine, 240 block helpers, 395 generic line-based TCP fuzzer, 240-243 checksums, 396 generic script-based fuzzer, 244 example, 397 protocol-specific fuzzers, 243-244 repeaters, 396 Proxy, 138 sizers, 395-396 UNIX fuzzing, 236 blocks, 392 SPIKE NMAP fuzzer script, 244-248 dependencies, 394-395 targets, 236-237 encoders, 394 SPIKEfile grouping, 392-393 core fuzzing engine, 184-185 data types, 388-390 exceptions delimiters, 391 detection engine, 183 directory structure, 387-388 reporting, 183-184 download website, 386 features, 182 environment, setting up, 413 forking off/tracing child processes, 185-187 features, 386 interesting UNIX signals, 187 fuzzers, launching, 414-416 missing features, 182 integers, 390-391 not interesting UNIX signals, 188 legos, 398-399 programming language, 195 postmortem phase, 405-409 shell script workarounds, 192 requests, building, 410-411 zombie processes, 189-191 RPC endpoint walkthrough, 409-410 Splint website, 7 environment, setting up, 413 SQL injections launching, 414-416 case study (Web applications), 160-162 requests, building, 410-411 vulnerabilities, 132 sessions, creating, 411-413 s_repeat() routine, 396 sessions, 399 SRM (snapshot restoration mutation), 309-310, 316 callbacks, registering, 401-402 sscanf() routine, 427 creating, 411-413 SSH (secure shell) servers, 64 instantiating, 401 s_sizer() routine, 395 linking requests into graphs, 399-401
537 6119IX.qxp 5/23/2007 9:56 AM Page 538
INDEX
targets and agents, 402-404 web browsers, 269 Web monitoring interface, 404 Windows file formats strings, 391 identifying, 205-209 SuperGPF, 368 Windows Explorer, 206-209 Sutton,Michael,39 Windows Registry, 209 SW (Smith-Waterman) local sequence alignment algo- TCP/IP vulnerabilities, 229 rithm, 428 TcpClient class, 148-149 sweeping applications, 10 TEBs (thread environment blocks), 485 SWF (Shockwave Flash), 372 test cases bit_field class, 378 connectivity checks, 472 component relationships, 383 metadata, saving, 179 data testing generation, 384 black box, 9 structures, 374-377 fuzzing, 12 dependent_bit_field class, 379 manual, 10 environment, 385 pros/cons, 13-14 header, 372-373 gray box, 14 MATRIX struct, 379-380 binary auditing, 14-18 methods, 385 pros/cons, 18 RECT/RGB structs, 378 SDLC, 502 string primitives, 383 white box SWF files, modeling, 374 pros/cons, 9 tags, 374, 380-382 source code analysis, 4-5 syslog() routine, 478 tools, 6-8 third-party protocols, 421 T threads taboo() function, 475 context, saving, 328-329 tag vulnerabilities environment blocks (TEBs), 485 HTML, 271-273 Thread32First() API, 328 XML, 273 Tikiwiki tiki-user_preferences Command Injection targets Vulnerability website, 117 audiences for fuzzing, 503-504 TLV (Type, Length, Value) style syntax, 352 debugger-assisted monitoring, 481 tools. See also debuggers advanced example, 486-489 Autodafe[as], 369-371 architecture, 481 AxMan, 275 basic example, 482-484 beSTORM, 138, 508 PaiMei crash binning utility, 487-489 BinAudit, 18 file format fuzzing, 170-171 BoundsChecker, 493 identifying, 27 BreakingPoint, 509 in-memory fuzzing, 307-308 BugScam, 17 local fuzzing, 93-95 clfuzz, 38 network protocol fuzzing, 226-230 Codenomicon, 510-511 application layer, 230 foundation, 23 categories, 226 HTTP test tools, 41, 138 data link layer, 228 COM Raider, 42 network layer, 229 compile time checkers, 6 presentation layer, 230 COMRaider, 25, 42, 275 session layer, 229 Convert, 367 transport layer, 229 crash binning, 487-489 profiling, 443-444 crashbin_explorer.py, 405 setuid applications, 37 CSSDIE, 276, 275, 42 Sulley sessions, 402-404 DevInspect, 504 UNIX, 236-237 Dfuz, 357-360 web application fuzzing data sources, 358 environment, configuring, 118-119 functions, 357-358 examples, 117-118 lists, declaring, 358 inputs. See web application fuzzing, inputs protocols, emulating, 359
538 6119IX.qxp 5/23/2007 9:56 AM Page 539
INDEX
rule files, 359-360 publishers, 364 variables, defining, 357 transformers, 364 DOM-Hanoi, 42 Process Stalker. See PStalker FileFuzz, 39 ProtoFuzz applications, launching, 203 case study, 262-264 ASCII text files, 202 data capture, 251, 258-259 audits, saving, 204-205 disadvantages, 264-265 benefits, 221 fuzz variables, 253, 261 binary files, 201 goals, 255 case study, 217-220 hexadecimal encoding/decoding, 262 development. See FileFuzz, development NDIS protocol driver, 255 error detection, 67 network adapters, 257-258 exception detection, 203-204 packet capture library, choosing, 256-257 features, 201 packets, assembling, 250-251 future improvements, 221 parsing data, 259-261 goals, 200 programming language, 256 fuzz_trend_server_protect_5268.py, 414-416 sending data, 253 GPF, 366-369 PROTOS, 458-460, 510 Hamachi, 42 ProtoVer Professional, 512 Holodeck, 514-515 ProxyFuzzer, 422-424 iFuzz, 38 PStalker case study, 110-111 data capture, 454 development approach, 105-107 data exploration, 453 features, 103-105 data sources, 452-453 fork, execute, and wait approach, 107 data storage, 455-457 fork, ptrace/execute, and wait/ptrace Gizmo Project case study. See Gizmo Project case approach, 108-109 study getopt hooker, 105 layout overview, 451-452 language, 109 limitations, 454 modules, 104-107 ptrace(), 76 postdevelopment observations, 111-112 PureFuzz, 367 Inspector, 18, 312 Python extensions, 77 LogiScan, 17 Rational Purify, 492 mangleme, 42 SecurityReview, 18 Mu-4000, 512 Sharefuzz, 38 Netcat, 49 Sidewinder, 433-434 notSPIKEfile, 39 source code, 7 core fuzzing engine, 184-185 SPI Fuzzer, 41, 138 exception handling, 183-184 SPIKE, 361, 362, 40, 364 features, 182 block-based protocol modeling, 242 forking off/tracing child processes, 185-187 block-based protocol representation, 361-362 interesting UNIX signals, 187 disadvantage, 363 missing features, 182 FTP fuzzer, 362-363 not interesting UNIX signals, 188 fuzz engine, 240 programming language, 195 generic line-based TCP fuzzer, 240-243 RealPix format string vulnerability, 193-195 generic script-based fuzzer, 244 shell script workarounds, 192 protocol-specific fuzzers, 243 zombie processes, 189-191 Proxy, 138 PAIMEfilefuzz, 39 UNIX fuzzing, 236-237, 244-248 Pattern Fuzz, 368 SPIKE Proxy, 138 PDML2AD, 371 SPIKEfile Peach, 40, 364-366 core fuzzing engine, 184-185 code reusability, 366 exception detection engine, 183 disadvantages, 366 exception reporting, 183-184 generators, 364 features, 182 groups, 365 forking off/tracing child processes, 185-187
539 6119IX.qxp 5/23/2007 9:56 AM Page 540
INDEX
interesting UNIX signals, 187 TcpClient class, 148-149 missing features, 182 user input, 147 not interesting UNIX signals, 188 vulnerabilities, identifying, 145-147 programming language, 195 XSS scripting case study, 163-166 shell script workarounds, 192 WebScarab, 41, 131, 138 zombie processes, 189-191 white box testing, 6-8 Sulley framework, 387, 386 Wireshark, 75 block helpers, 395-397 to_binary() routine, 378 blocks, 392-395 to_decimal() routine, 378 data types, 388-390 TRACE method, 124 delimiters, 391 tracing directory structure, 387-388 child processes, 185-187 download website, 386 instruction execution, 444-445 environment, setting up, 413 tracking features, 386 benefits, 466-467 fuzzers, launching, 414-416 binary visualization, 439 integers, 390-391 call graphs, 439 legos, 398-399 CFGs, 440-441 postmortem phase, 405-409 future improvements, 467-469 requests, building, 410-411 as metrics, 66 RPC endpoint walkthrough, 409-416 Outlook Express NNTP vulnerability, 447-449 sessions. See Sulley framework, sessions overview, 437-439 strings, 391 PaiMei framework, 449-450 SuperGPF, 368 PStalker tool tracking data capture, 454 benefits, 466-467 data exploration, 453 binary visualization, 439-441 data sources, 452-453 future improvements, 467-469 data storage, 454-457 as metrics, 66 Gizmo Project case study. See Gizmo Project case Outlook Express NNTP vulnerability, 447-449 study overview, 437-439 layout overview, 451-452 PaiMei framework, 449-450 limitations, 454 PStalker. See PStalker PyDbg single stepper tool, 445-446 PyDbg single stepper tool, 445-446 tool development, 442 tool development, 442-447 basic blocks, tracking, 444 TXT2AD, 371 cross-referencing, 447 Valgrind, 493 instruction execution, tracing, 444-445 WebFuzz recordings, filtering, 446 approach, 148 target profiling, 443-444 asynchronous sockets, 150-153 traffic generation, 509 benefits, 166 transformers, 364 buffer overflow case study, 158-160 transport layer vulnerabilities, 229 directory traversal case study, 156-157 Trend Micro Control Manager directory traversal, 156 error messages, 146-147 Tridgell, Andrew, 420 future improvements, 166 Trustworthy Computing Security Development Lifecycle fuzz variables, 142 document (Microsoft), 13 generating requests, 153-155 TXT2AD, 371 handled/unhandled exceptions, 147 Type, Length, Value (TLV) style syntax, 352 HTML status codes, 146 HTTP requests, identifying, 144 U performance degradation, 147 UNIX programming language, choosing, 148 file format fuzzing. See SPIKEfile; notSPIKEfile request timeouts, 147 file permissions, 95 requests, 140-141 interesting/not interesting signals, 187-188 responses, 143, 155-156 targets, 236-237 SQL injection case study, 160-162 unmarshal() routine, 306
540 6119IX.qxp 5/23/2007 9:56 AM Page 541
INDEX
unwinding stacks, 485 heap overflows, 177 UPGMA (Unweighted Pairwise Mean by Arithmetic integer handling, 175-177 Averages) algorithm, 429 logic errors, 177 URL vulnerabilities, 280 race conditions, 178 User-Agent header, 122 simple stack, 177 utilities. See tools Flash, 279 format strings, 85, 106, 477 V GAs, 433 Valgrind, 493 GDI+ buffer overflow, 198, 217-220 values (fuzz), 480-481 heap overflow, 129 variable length fields (protocols), 48 HTML variables headers, 271 defining, 357 tags, 271-273 environment, 38-39, 90-92 hybrid analysis approach, 515 GDB method, 96-97 Ipswitch I-Mail, 420 getenv function, 98 libraries, 134 library preloading, 98-99 log analysis, 118 network protocols, 253 media servers, 226 ProtoFuzz design, 261 Microsoft source code leak, 5 Web application fuzzing, 142 network VARIANT data structure, 293 layer, 229 Vector Markup Language (VML), 273 monitoring, 118 viewing target categories, 226 crash locations, 405-406 NMAP stack overflow, 246 fault detections, 406 Outlook Express NNTP, 447-449 VirtualQueryEx() routine, 329 phishing, 281 VML (Vector Markup Language), 273 PNG, 199 VMs (virtual machines), 119 precompile security solution, 480 VMWare control agent, 403 presentation layer, 230 vulnerabilities RealPlayer RealPix format string, 193-195 ActiveX controls, 273-275 remote access services, 226 address bar spoofing, 281 RPC-based services, 226 Apple Macbook, 228 security zones, 281 application layer, 230 server-side, 223-226 Brightstor backup software, 424 software memory corruption, 475 buffer overflows, 130, 281 execution control, transferring, 475-476 client-side, 223, 280-282 reading addresses, 476-478 client-side scripting, 276 writing to addresses, 478-479 commands SPI Dynamics Free Bank application, 163-164 execution, 281 stack overflow injection, 87 Hewlett-Packard Mercury LoadRunner, 263 cross-domain restriction bypass, 281 NMAP protocol, 246 CSS, 275-276 TCP/IP, 229 data link layer, 228 transport layer, 229 data session link layer, 229 URLs, 280 directory traversal, 86 web applications, 132-135 discussion boards, 117 Web Mail, 117 DoS, 280 weblogs, 117 ERP, 117 Wikis, 117 Excel eBay, 199 Windows file formatting, 197-198 file formats winnuke attack, 229 DoS, 175 WinZip FileView, 298 examples, 170 WMF, 199 format strings, 177 XML tags, 273
541 6119IX.qxp 5/23/2007 9:56 AM Page 542
INDEX
W WebScarab, 138 waterfall model, 499 XSS scripting case study, 163-166 analysis, 500 web browser fuzzing, 41-42 coding, 501-502 ActiveX, 287-289 design, 500-501 heuristics, 298 maintenance, 502-503 loadable controls, enumerating, 289-293 testing, 502 monitoring, 299 weak access control, 132 properties, methods, parameters, and types, 294-297 weak authentication, 133 test cases, 298 weak session management, 133 approaches, 269-271 web application fuzzing, 41, 138 fault detection, 282 benefits, 166 heap overflows, 277-279 beSTORM, 138, 508 history, 24 buffer overflows, 130, 158-160 inputs, 271 Codenomicon, 138 ActiveX controls, 273-275 configuring, 118-119 client-side scripting, 276 development CSS, 275-276 approach, 148 Flash, 279 asynchronous sockets, 150-153 HTML headers, 271 programming language, choosing, 148 HTML tags, 271-273 requests, generating, 153-155 URLs, 280 responses, receiving, 155-156 XML tags, 273 TcpClient class, 148-149 methods, 269 directory traversal case study, 156-157 approaches, 269-271 Ipswitch Imail Web Calendaring, 157 inputs, 275-280 Trend Micro Control Manager, 156 Month of Browser Bugs, 268 error messages, 146-147 overview, 268 exceptions, detecting, 135-136 targets, 269 future improvements, 166 vulnerabilities, 280-282 fuzz variables, 142 Web Mail vulnerabilities, 117 handled/unhandled exceptions, 147 Web monitoring interface (Sulley), 404 heap overflow vulnerability, 129 web server error messages, 135 HTML status codes, 146 web sites HTTP requests, identifying, 144 AWStats Remote Command Execution inputs Vulnerability, 118 choosing, 119-121 CodeSpy, 7 cookies, 129 Flawfinder, 7 headers, 128 ITS4, 7 identifying, 130-131 Jlint, 7 method, 123-125 Splint, 7 post data, 130 Sulley download, 386 protocol, 128 vulnerabilities request-URI, 126-128 IpSwitch WhatsUp Professional 2005 (SP1) SQL overview, 113-115 Injection, 118 performance degradation, 147 Microsoft Outlook Web Access Cross Site request timeouts, 147 Scripting, 117 requests, 140-141 Multiple Vendor Cacti Remote File Inclusion, 118 responses, 143 OpenSSH Remote Challenge, 226 SPI Fuzzer, 138 phpBB Group phpBB Arbitrary File Disclosure, 117 SPIKE Proxy, 138 RATS download, 7 SQL injection case study, 160-162 RealServer ../ DESCRIBE, 226 targets, 117-118 RPC DCOM Buffer Overflow, 226 technologies, 115 SAP Web Application Server sap-exiturl Header user input, 147 HTTP Response Splitting, 117 vulnerabilities, 132-135, 145-147 Tikiwiki tiki-user_preferences Command Injection, 117
542 6119IX.qxp 5/23/2007 9:56 AM Page 543
INDEX
WinZip MIME Parsing Buffer Overflow Windows advisory, 170 debugging API, 320-323, 332-333 WordPress Cookie cache_lastpostdate Variable Explorer file format targets, 206, 209 Arbitrary PHP Code Execution, 117 file format fuzzing, 205-209 Wireshark, 335 file format vulnerabilities, 197-198. See also FileFuzz Wotsit, 421 Live, 114 WebFuzz memory model, 302-303, 306 benefits, 166 Meta File (WMF) vulnerability, 199 buffer overflow case study, 158-160 Registry, file format targets, 209 development winnuke attack, 229 approach, 148 WinPcap library, 256 asynchronous sockets, 150-153 WINRAR, 174 programming language, choosing, 148 WinZip vulnerabilities requests, generating, 153-155 FileView ActiveX Control Unsafe Method Exposure, responses, receiving, 155-156 298 TcpClient class, 148-149 MIME Parsing Buffer Overflow, 170 directory traversal case study, 156-157 Wireshark, 75 error messages, 146-147 sniffer, 237 future improvements, 166 web site, 335 fuzz variables, 142 WMF (Windows Meta File) vulnerability, 199 handled/unhandled exceptions, 147 WordPress Cookie cache_lastpostdate Variable Arbitrary HTML status codes, 146 PHP Code Execution web site, 117 HTTP requests, identifying, 144 worms (Microsoft), 224-226 performance degradation, 147 Wotsit web site, 421 request timeouts, 147 WriteProcessMemory() function, 319 requests, 140-141 write_process_memory() routine, 344 responses, 143 writing SQL injection case study, 160-162 addresses, 478-479 user input, 147 INT3 opcode, 324 vulnerabilities, identifying, 145-147 process memory, 319 XSS scripting case study, 163-166 WS2_32.dll recv() breakpoint, 336 weblog vulnerabilities, 117 WebScarab, 41, 131, 138 X white box testing XDR (External Data Representation), 230 pros/cons, 9 XML tag vulnerabilities, 273 source code analysis, 4-5 xmlComposeString() routine, 407 tools, 6-8 XSS (cross-site scripting), 132, 163-166 Wikis vulnerabilities, 117 WinDbg, 16 Y – Z Zalewski, Michal, 24 Zimmer, David, 25, 42 Zoller, Thierry, 24 zombie processes, 189-191
543 6119IX.qxp 5/23/2007 9:56 AM Page 544 6119IX.qxp 5/23/2007 9:56 AM Page 545 6119IX.qxp 5/23/2007 9:56 AM Page 546