Introduction Containers and Codecs Fuzzing Exposing Vulnerabilities in Media Software Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis David Thiel, iSEC Partners Other formats and features Results Finding root causes March 31st, 2008 Collateral damage and future directions Summary Agenda 1 Introduction Introduction 2 Containers and Codecs Containers and Codecs 3 Fuzzing Fuzzing Fuzzing Fuzzing Techniques Techniques Fuzzing Tools Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Fuzzbox Other formats and features Case study: Ogg-Vorbis Results Other formats and features Finding root causes 4 Results Collateral damage and future 5 Finding root causes directions Summary 6 Collateral damage and future directions Introduction Hello Introduction I’m a consultant and researcher with iSEC Partners Containers Focus on application security and Codecs Audio hobbyist (definitely no expert) Fuzzing Fuzzing What’s this all about? Techniques Fuzzing Tools The attack surface and potential of media codecs, players Fuzzbox Case study: and related devices Ogg-Vorbis Other formats Focus here is slightly on audio, but that doesn’t matter and features Video works the same way, and uses the same container Results formats Finding root causes Takeaways Collateral damage and Understand attack surface and implications future Understand how to fuzz and design fuzzers for media directions Help developers understand how to improve code Summary Plant ideas for future research Why this matters Omnipresent and always on Introduction Promiscuously shared, played, streamed Containers Comes from extremely untrusted, often anonymous sources and Codecs Most don’t think to refrain from playing “untrusted” media Fuzzing Fuzzing And most browsers will play automatically anyhow Techniques Fuzzing Tools It’s political Fuzzbox Case study: Ogg-Vorbis There are people out there who don’t like you stealing Other formats and features music: the RIAA, and companies like Sony Results Exploits here are ripe for corporate abuse—it’s happened Finding root before causes It’s “rich” Collateral damage and Media playback/parsing software is almost by definition future directions “excessively functional” Summary Does tons of parsing Why media security is under-explored Introduction Modern codecs are designed to be resistant to corruption Containers Bit-flipping an Ogg file, for example, will usually not work and Codecs Example: zzuf, a popular bit-flipping fuzzer, noted VLC as Fuzzing Fuzzing being “robust” against fuzzing of Vorbis, Theora, FLAC Techniques Fuzzing Tools As zzuf notes, this does not mean there are no bugs; we Fuzzbox Case study: just need a targeted fuzzer Ogg-Vorbis Other formats Deep research not historically necessary and features Results Most media software exploits thus far have been simple: Finding root long playlists, URL names, etc. causes Few attacks using media files themselves Collateral Even fewer targeting things on the codec level damage and future But this is changing as of late directions Summary Terminology: Containers and Codecs Introduction Container formats organize multiple types of media Containers and Codecs streams and metadata Fuzzing “tags”—content describing end-user relevant data Fuzzing Techniques subtitles Fuzzing Tools Fuzzbox sync data, frame ordering Case study: Ogg-Vorbis management of separate bitstreams Other formats and features Codec data describes and contains the actual video/audio Results sample rate Finding root bitrate causes channels Collateral damage and compressed or raw media data future directions Summary Examples: Containers and Codecs Introduction Examples of media containers: Containers AVI and Codecs Ogg Fuzzing MPEG-2 Fuzzing Techniques MP4 Fuzzing Tools Fuzzbox ASF Case study: Ogg-Vorbis Other formats Examples of media codecs: and features DivX Results Vorbis Finding root causes Theora Collateral WMV damage and future Xvid directions Sorenson Summary What to fuzz Introduction Two main areas are important here Containers and Codecs Content metadata Fuzzing ID3, APEv2, Vorbis comments, album art, etc. Fuzzing Techniques Because many types allow arbitrarily large content, this is Fuzzing Tools Fuzzbox a great place to store shellcode with plenty of NOP Case study: Ogg-Vorbis cushion—even if the bug isn’t in metadata parsing Other formats and features Frame data Results Mostly interested in the frame header Finding root causes Contains structural data describing overall file layout: sample rate, number of frames, frame size, channels Collateral damage and Can be multiple types of frame headers in a file future directions Summary What to fuzz it with Introduction Traditional random strings Containers Repeating one random ASCII char to help us spot stack and Codecs pointer overwrites Fuzzing Random unicode, encoded in funny ways Fuzzing Techniques Random signed ints Fuzzing Tools Fuzzbox Case study: Bunch of “%n” format strings to give us some memory Ogg-Vorbis Other formats corruption and features Results Fencepost numbers Finding root causes HTML, more on this later Collateral URLs—for catching URL pingbacks damage and future directions Perhaps other injection types—SQL, XML Summary How to fuzz it Three possible approaches Introduction Reach in and just mangle Containers and Codecs Might work, might not Works a sad amount of the time Fuzzing Fuzzing But, misses a lot of attack classes Techniques Fuzzing Tools Use existing parsing libraries Fuzzbox Case study: Ogg-Vorbis Works well, but usually requires patching the libs Other formats and features Built-in error handling will trip us up Results Metadata editing libraries don’t always allow changing of Finding root data we want causes Use this for basic stuff like ID3 tags and Vorbis comments Collateral damage and Make your own frame parser future directions Sometimes quick and easy, sometimes painful Summary But turns up some great bugs The fuzzer’s toolbox A few tools to make fuzzing and parsing easier Introduction hachoir: Dissects many file types visually Containers and Codecs mutagen: Help in mangling audio tags and understanding Fuzzing Fuzzing file layout Techniques Fuzzing Tools vbindiff: Shows differences between fuzzed and non-fuzzed Fuzzbox Case study: Ogg-Vorbis files Other formats and features bvi: A hex editor with keybindings similar to a certain one Results true editor Finding root causes bbe: sed for binary streams Collateral damage and gdb: Love it or hate it, it’s all you get future directions Summary Fuzzbox A multi-codec audio/video stream fuzzer, written in Introduction Containers Python and Codecs Targets specific stream formats, no general file fuzzing Fuzzing Fuzzing Techniques Uses third party libs like py-vorbis and mutagen for Fuzzing Tools Fuzzbox metadata fuzzing Case study: Ogg-Vorbis Uses built-in frame parsing for frame fuzzing Other formats and features Results Not another fuzzing framework Finding root Just a real-world fuzzer used in pen-testing: quick, dirty causes and targeted Collateral damage and future Available at directions https://www.isecpartners.com/tools.html Summary Fuzzbox Supported filetypes Introduction Containers Ogg and Codecs Fuzzing FLAC Fuzzing Techniques ASF (i.e., WMV, WMA) Fuzzing Tools Fuzzbox Case study: MP3 Ogg-Vorbis Other formats and features Quicktime/MP4 Results Speex Finding root causes WAV Collateral AIFF damage and future directions Summary Case study: Ogg-Vorbis Ogg frame structure Excellent free codec Introduction Well documented Containers and Codecs Not just for hippies Fuzzing Unencumbered status gets it into many things Fuzzing Techniques Fuzzing Tools Consists of an Ogg container. Fuzzbox Case study: Ogg-Vorbis Other formats and features Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Vorbis frame structure Introduction Containers and Codecs Fuzzing . and a Vorbis center Fuzzing Techniques Fuzzing Tools Also “Vorbis comments” Fuzzbox Case study: Simple name/value pairs—can be any length or content, Ogg-Vorbis Other formats but some have special meaning and features Easiest to use existing libs for this—in this case, py-vorbis Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Vorbis comment structure Typical tags used in Vorbis comments: Introduction Containers and Codecs Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Ogg and Vorbis frame data in Python Mercifully 8-bit aligned—Vorbis portion starts at “12version” Introduction Containers and Codecs Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Comments and frame data loaded, feed to fuzzer Transforms are defined in randjunk.py: Introduction Containers and Codecs Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Data fuzzed, writing back out Comments just write back in. Frame data needs to be packed: Introduction Containers and Codecs Fuzzing Fuzzing Techniques Fuzzing Tools Fuzzbox Case study: Ogg-Vorbis Other formats and features Results Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Fixing the CRC Every Ogg frame has a CRC to prevent corruption. Also hides Introduction
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages43 Page
-
File Size-