Introduction
Containers and Codecs Fuzzing Exposing Vulnerabilities in Media Software Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis David Thiel, iSEC Partners Other formats and features Results
Finding root causes March 31st, 2008 Collateral damage and future directions
Summary Agenda
1 Introduction
Introduction 2 Containers and Codecs Containers and Codecs 3 Fuzzing Fuzzing Fuzzing Fuzzing Techniques Techniques Fuzzing Tools Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Fuzzbox Other formats and features Case study: Ogg-Vorbis Results Other formats and features Finding root causes 4 Results Collateral damage and future 5 Finding root causes directions Summary 6 Collateral damage and future directions Introduction
Hello
Introduction I’m a consultant and researcher with iSEC Partners
Containers Focus on application security and Codecs Audio hobbyist (definitely no expert) Fuzzing Fuzzing What’s this all about? Techniques Fuzzing Tools The attack surface and potential of media codecs, players Fuzzbox Case study: and related devices Ogg-Vorbis Other formats Focus here is slightly on audio, but that doesn’t matter and features Video works the same way, and uses the same container Results formats Finding root causes Takeaways Collateral damage and Understand attack surface and implications future Understand how to fuzz and design fuzzers for media directions Help developers understand how to improve code Summary Plant ideas for future research Why this matters
Omnipresent and always on Introduction Promiscuously shared, played, streamed Containers Comes from extremely untrusted, often anonymous sources and Codecs Most don’t think to refrain from playing “untrusted” media Fuzzing Fuzzing And most browsers will play automatically anyhow Techniques Fuzzing Tools It’s political Fuzzbox Case study: Ogg-Vorbis There are people out there who don’t like you stealing Other formats and features music: the RIAA, and companies like Sony Results Exploits here are ripe for corporate abuse—it’s happened
Finding root before causes It’s “rich” Collateral damage and Media playback/parsing software is almost by definition future directions “excessively functional”
Summary Does tons of parsing Why media security is under-explored
Introduction Modern codecs are designed to be resistant to corruption Containers Bit-flipping an Ogg file, for example, will usually not work and Codecs Example: zzuf, a popular bit-flipping fuzzer, noted VLC as Fuzzing Fuzzing being “robust” against fuzzing of Vorbis, Theora, FLAC Techniques Fuzzing Tools As zzuf notes, this does not mean there are no bugs; we Fuzzbox Case study: just need a targeted fuzzer Ogg-Vorbis Other formats Deep research not historically necessary and features Results Most media software exploits thus far have been simple:
Finding root long playlists, URL names, etc. causes Few attacks using media files themselves Collateral Even fewer targeting things on the codec level damage and future But this is changing as of late directions
Summary Terminology: Containers and Codecs
Introduction Container formats organize multiple types of media Containers and Codecs streams and metadata
Fuzzing “tags”—content describing end-user relevant data Fuzzing Techniques subtitles Fuzzing Tools Fuzzbox sync data, frame ordering Case study: Ogg-Vorbis management of separate bitstreams Other formats and features Codec data describes and contains the actual video/audio Results sample rate Finding root bitrate causes channels Collateral damage and compressed or raw media data future directions
Summary Examples: Containers and Codecs
Introduction Examples of media containers:
Containers AVI and Codecs Ogg Fuzzing MPEG-2 Fuzzing Techniques MP4 Fuzzing Tools Fuzzbox ASF Case study: Ogg-Vorbis Other formats Examples of media codecs: and features DivX Results Vorbis Finding root causes Theora
Collateral WMV damage and future Xvid directions Sorenson Summary What to fuzz
Introduction Two main areas are important here Containers and Codecs Content metadata Fuzzing ID3, APEv2, Vorbis comments, album art, etc. Fuzzing Techniques Because many types allow arbitrarily large content, this is Fuzzing Tools Fuzzbox a great place to store shellcode with plenty of NOP Case study: Ogg-Vorbis cushion—even if the bug isn’t in metadata parsing Other formats and features Frame data Results Mostly interested in the frame header Finding root causes Contains structural data describing overall file layout: sample rate, number of frames, frame size, channels Collateral damage and Can be multiple types of frame headers in a file future directions
Summary What to fuzz it with
Introduction Traditional random strings
Containers Repeating one random ASCII char to help us spot stack and Codecs pointer overwrites Fuzzing Random unicode, encoded in funny ways Fuzzing Techniques Random signed ints Fuzzing Tools Fuzzbox Case study: Bunch of “%n” format strings to give us some memory Ogg-Vorbis Other formats corruption and features Results Fencepost numbers Finding root causes HTML, more on this later Collateral URLs—for catching URL pingbacks damage and future directions Perhaps other injection types—SQL, XML
Summary How to fuzz it
Three possible approaches Introduction Reach in and just mangle Containers and Codecs Might work, might not Works a sad amount of the time Fuzzing Fuzzing But, misses a lot of attack classes Techniques Fuzzing Tools Use existing parsing libraries Fuzzbox Case study: Ogg-Vorbis Works well, but usually requires patching the libs Other formats and features Built-in error handling will trip us up Results Metadata editing libraries don’t always allow changing of
Finding root data we want causes Use this for basic stuff like ID3 tags and Vorbis comments Collateral damage and Make your own frame parser future directions Sometimes quick and easy, sometimes painful
Summary But turns up some great bugs The fuzzer’s toolbox A few tools to make fuzzing and parsing easier
Introduction hachoir: Dissects many file types visually Containers and Codecs mutagen: Help in mangling audio tags and understanding Fuzzing Fuzzing file layout Techniques Fuzzing Tools vbindiff: Shows differences between fuzzed and non-fuzzed Fuzzbox Case study: Ogg-Vorbis files Other formats and features bvi: A hex editor with keybindings similar to a certain one Results true editor Finding root causes bbe: sed for binary streams Collateral damage and gdb: Love it or hate it, it’s all you get future directions
Summary Fuzzbox
A multi-codec audio/video stream fuzzer, written in Introduction
Containers Python and Codecs Targets specific stream formats, no general file fuzzing Fuzzing Fuzzing Techniques Uses third party libs like py-vorbis and mutagen for Fuzzing Tools Fuzzbox metadata fuzzing Case study: Ogg-Vorbis Uses built-in frame parsing for frame fuzzing Other formats and features Results Not another fuzzing framework Finding root Just a real-world fuzzer used in pen-testing: quick, dirty causes and targeted Collateral damage and future Available at directions https://www.isecpartners.com/tools.html Summary Fuzzbox Supported filetypes
Introduction
Containers Ogg and Codecs
Fuzzing FLAC Fuzzing Techniques ASF (i.e., WMV, WMA) Fuzzing Tools Fuzzbox Case study: MP3 Ogg-Vorbis Other formats and features Quicktime/MP4 Results Speex Finding root causes WAV Collateral AIFF damage and future directions
Summary Case study: Ogg-Vorbis Ogg frame structure
Excellent free codec
Introduction Well documented Containers and Codecs Not just for hippies Fuzzing Unencumbered status gets it into many things Fuzzing Techniques Fuzzing Tools Consists of an Ogg container. . . Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Vorbis frame structure
Introduction
Containers and Codecs Fuzzing . . . and a Vorbis center Fuzzing Techniques Fuzzing Tools Also “Vorbis comments” Fuzzbox Case study: Simple name/value pairs—can be any length or content, Ogg-Vorbis Other formats but some have special meaning and features Easiest to use existing libs for this—in this case, py-vorbis Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Vorbis comment structure
Typical tags used in Vorbis comments:
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Ogg and Vorbis frame data in Python
Mercifully 8-bit aligned—Vorbis portion starts at “12version”
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Comments and frame data loaded, feed to fuzzer
Transforms are defined in randjunk.py:
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Data fuzzed, writing back out
Comments just write back in. Frame data needs to be packed:
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Case study: Ogg-Vorbis Fixing the CRC
Every Ogg frame has a CRC to prevent corruption. Also hides
Introduction bugs, but easy enough to fix:
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Other supported formats
FLAC Introduction Lossless audio—uses Vorbis comments for metadata, can Containers and Codecs use Ogg as a container (and usually does) Fuzzing MP3 Fuzzing Techniques Metadata with ID3 Fuzzing Tools Fuzzbox ID3v1 Case study: Ogg-Vorbis Length limited Other formats and features Stored at end of file Results Great for rewriting, awful for streaming Finding root ID3v2 causes Massively structured and complex Collateral damage and Incompletely supported future Obsessively detailed directions Better for streaming, otherwise uniformly awful Summary Example: ID3v2’s OCD “APIC” picture attachment tag
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Even more supported formats
Introduction WAV and AIFF Containers What’s to attack in “raw” audio? and Codecs Not a lot, but it still works Fuzzing Fuzzing Sample width, framerate, frame number; all things that Techniques Fuzzing Tools can expose integer bugs Fuzzbox Case study: WAV and AIFF parsing libraries are included with Python Ogg-Vorbis Other formats (but need patched) and features Results Speex
Finding root Optimized for speech causes Used in several high-profile third-party products Collateral Uses Vorbis comments for metadata damage and future Often stored in an Ogg container directions
Summary And yet more formats
Introduction MP4 Containers and Codecs Often used for AAC, but can also contain many other Fuzzing video and audio types Fuzzing Techniques Comprised of a series of FOURCC “atoms” Fuzzing Tools Fuzzbox Combines functionality of tags/comments and lower level Case study: Ogg-Vorbis descriptions like sample rate, positional info Other formats and features In true Apple fashion, not officially documented Results ASF Finding root causes Container format for MS WMA and WMV files WMA used on portable devices, WMVs distributed widely Collateral damage and online future directions
Summary Setting up a fuzzer run Basic usage of Fuzzbox
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Demo Fuzzbox usage
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Demo Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Nifty Fuzzbox features
Introduction
Containers and Codecs Autoplay mode—spawns a player of your choice under gdb Fuzzing Fuzzing Techniques Gathers backtraces, registers and resource usage Fuzzing Tools Fuzzbox Kills off runaway apps (excessive CPU/memory Case study: Ogg-Vorbis consumption, mangled play rate) Other formats and features iTunes anti-anti-debugging Results
Finding root iTunes automation with AppleScript causes
Collateral damage and future directions
Summary iTunes-specific functionality Avoiding iTunes anti-debugging
Simply jump around PT DENY ATTACH with gdb1:
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary
1http://www.steike.com/code/debugging-itunes-with-gdb/ Results: VLC Format string issues in Vorbis comments (CVE-2007-3316)
Also CDDA, SAP/SDP—broadcast exploitation!
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Results: libvorbis Bug in invalid mapping type handling (CVE-2007-4029)
Function pointer to an invalid memory address offset by an attacker-controlled value Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Results: flac-tools Overflow in metadata parsing, flac123 (CVE-2007-3507)
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Results: iTunes
Heap overflow in “COVR” MP4 atom parsing Introduction (CVE-2007-3752) Containers and Codecs Normally to store album art, can store evil too Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Note about static analysis
Introduction
Containers and Codecs Fuzzing At least one of these vendors was actually using a Fuzzing Techniques commercial static analysis tool Fuzzing Tools Fuzzbox Case study: It missed all of the bugs found with Fuzzbox Ogg-Vorbis Other formats and features These tools are useful, but not a complete solution Results Fuzzing is necessary too—and cheaper Finding root causes
Collateral damage and future directions
Summary Finding root causes
Checking diffs between source file and crasher, We can see the
Introduction difference in CRC and one other byte:
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Finding root causes
Located just after the Vorbis version—a silly number of audio
Introduction channels
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Finding root causes
Introduction
Containers and Codecs With the cause identified, you can start manipulating Fuzzing Fuzzing rather than fuzzing Techniques Fuzzing Tools Play with values in a hex editor or with bbe Fuzzbox Case study: bbe -e ’s:ZZZZ:\xdd\xc5\x04\x08:’ < crashy.flac > Ogg-Vorbis Other formats evil.flac and features Results In the case of Ogg-contained formats, the included Finding root oggcrc.py will recalculate CRC after editing causes
Collateral damage and future directions
Summary Collateral damage and future directions
Introduction
Containers and Codecs Non-player apps, or “nobody uses Vorbis!” Fuzzing As mentioned before, some of these codecs get around Fuzzing Techniques Fuzzing Tools Used in games—custom sounds downloaded with maps, Fuzzbox Case study: etc. Ogg-Vorbis Other formats and features The Asterisk PBX does Results Also supports Speex, which is structurally very similar. . . Finding root In other words, any DoS or code execution in Ogg/Vorbis causes or Speex can mean the same for Asterisk Collateral damage and future directions
Summary Collateral damage and future directions
Introduction Containers Also potential for VOIP-related attacks in WAV/PCM and Codecs modules Fuzzing Fuzzing Good potential for active network attacks; see RTPInject Techniques Fuzzing Tools (Lackey, Garbutt) Fuzzbox Case study: Ogg-Vorbis “Embedded” devices Other formats and features Phones and other portables play lots of audio and video Results formats. Finding root So do home multimedia devices, game consoles, in-car causes systems. . . but no one will let me test their car Collateral damage and future directions
Summary Collateral damage and future directions
Introduction Containers Total speculation: indexing services and other parsers and Codecs
Fuzzing Some software relies on existing media libraries to index Fuzzing Exploits in these libraries affect the indexer Techniques Fuzzing Tools Can also be a venue for finding bugs in the indexer itself Fuzzbox Case study: Or its web interface Ogg-Vorbis Other formats and features Web Applications Results Some apps aren’t real careful about data parsed from Finding root media causes Good for CSRF, XSS or JavaScript intranet scanning, etc. Collateral damage and future directions
Summary Collateral damage and future directions Cheesy example: phpMp, front-end for MPD
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Demo flac code execution
Introduction
Containers and Codecs
Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Demo Other formats and features Results
Finding root causes
Collateral damage and future directions
Summary Recommendations
Introduction
Containers and Codecs Write paranoid—for every specification, test for violation. Fuzzing Fuzzing Techniques Vendors should fuzz their own software. Fuzzing Tools Fuzzbox Media parsing should be done sandboxed when possible. Case study: Ogg-Vorbis Other formats Use, but don’t rely on, source analysis. and features Results Users should treat media streams as potentially malicious Finding root content. causes
Collateral damage and future directions
Summary Questions?
Appendix Questions? Thanks for coming! Thanks to: Chris Palmer, Jesse Burns, Tim Newsham Xiph.org, the VLC team and Apple product security