Introduction Overview Containers and Codecs Exposing Vulnerabilities in Media Software Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats David Thiel, iSEC Partners and features Fallout Finding root causes BlackHat EU 2008 Collateral damage and future directions Summary Agenda 1 Introduction Introduction 2 Overview Overview Containers 3 and Codecs Containers and Codecs Fuzzbox Fuzzing 4 Fuzzbox Techniques Case study: Fuzzing Techniques Ogg-Vorbis Other formats and features Case study: Ogg-Vorbis Fallout Other formats and features Finding root causes 5 Fallout Collateral damage and future 6 Finding root causes directions Summary 7 Collateral damage and future directions Introduction Hello Introduction I’m a consultant and researcher with iSEC Partners Overview Focus on application security Containers Audio hobbyist and Codecs What’s this all about? Fuzzbox Fuzzing The attack surface and potential of media codecs, players Techniques Case study: and related devices Ogg-Vorbis Other formats Focus here is on slightly on audio, but that doesn’t matter and features Video works the same way, and uses the same container Fallout formats Finding root causes Takeaways Collateral damage and Understand attack surface and implications future Understand how to fuzz and design fuzzers for media directions Help developers understand how to improve code Summary Plant ideas for future research Why this matters Omnipresent and always on Promiscuously shared, played, streamed Introduction Comes from extremely untrusted, often anonymous sources Overview Who thinks to refrain from playing “untrusted” media? Containers and Codecs Most browsers will play automatically anyhow Fuzzbox It’s political Fuzzing Techniques There are people out there who don’t like you stealing Case study: Ogg-Vorbis music Other formats and features Like me, for example Fallout But mostly I mean the RIAA, and companies like Sony Finding root Exploits here are ripe for corporate abuse - it’s happened causes before Collateral damage and It’s “rich” future directions Media playback/parsing software is almost by definition Summary excessively functional Does tons of parsing Why media security is under-explored Introduction Overview Modern codecs are designed to be resistant to corruption Containers Bit-flipping an Ogg file, for example, will usually not work and Codecs Example: zzuf, a popular bit-flipping fuzzer, noted VLC as Fuzzbox being “robust” against fuzzing of Vorbis, Theora, FLAC Fuzzing Techniques As zzuf notes, this does not mean there are no bugs; we Case study: Ogg-Vorbis just need a targeted fuzzer Other formats and features Most media software exploits thus far have been simple Fallout Finding root Attacks on players: long playlists, URL names, etc. causes Few attacks using media files themselves Collateral Even fewer targeting things on the codec level damage and future directions Summary Containers and Codecs Introduction Container formats organize multiple types of media Overview streams and metadata Containers and Codecs “tags”—content describing end-user relevant data Fuzzbox subtitles Fuzzing Techniques sync data, frame ordering Case study: Ogg-Vorbis management of separate bitstreams Other formats and features Codec data describes and contains the actual video/audio Fallout sample rate Finding root causes bitrate channels Collateral damage and compressed or raw media data future directions Summary Containers and Codecs Introduction Examples of media containers: Overview AVI Containers Ogg and Codecs MPEG-2 Fuzzbox MP4 Fuzzing Techniques ASF Case study: Ogg-Vorbis Other formats Examples of media codecs: and features DivX Fallout Vorbis Finding root causes Theora Collateral WMV damage and future Xvid directions Sorenson Summary (re-)Introducing Fuzzbox Introduction A multi-codec audio stream fuzzer, written in Python Overview Targets specific stream formats, no general file fuzzing Containers and Codecs Uses third party libs like py-vorbis and mutagen for Fuzzbox metadata fuzzing Fuzzing Techniques Case study: Uses built-in frame parsing for frame fuzzing Ogg-Vorbis Other formats and features Not another fuzzing framework Fallout An example of a real-world fuzzer used in pen-testing: Finding root causes quick, dirty and targeted Collateral damage and Available at future directions https://www.isecpartners.com/tools.html Summary What to fuzz Two main areas are important here Introduction Content metadata Overview ID3, APEv2, Vorbis comments, album art, etc. Containers and Codecs Because many types allow arbitrarily large content, this is Fuzzbox Fuzzing a great place to store shellcode with plenty of NOP Techniques Case study: cushion—even if the bug isn’t in metadata parsing Ogg-Vorbis Other formats and features Frame data Fallout We’re mostly interested in the frame header Finding root causes Contains structural data describing overall file layout: Collateral damage and sample rate, number of frames, frame size, channels future directions Can be multiple types of frame headers in a file, especially Summary in the case of container formats What to fuzz it with Introduction Obviously, random strings Overview Repeating one random ASCII char to help us spot stack Containers and Codecs pointer overwrites Fuzzbox Throw in some random unicode, encoded in funny ways Fuzzing Techniques Just a bunch of “%n”s to give us some memory corruption Case study: Ogg-Vorbis Random signed ints Other formats and features Format strings Fallout Fencepost numbers Finding root causes HTML! More on this later Collateral damage and URLs—for catching URL pingbacks future directions Summary How to fuzz it Three possible approaches Introduction Reach in and just mangle Overview Might work, might not Containers Works a sad amount of the time and Codecs Fuzzbox Use existing parsing libraries Fuzzing Techniques Works well, but usually requires patching the libs Case study: Ogg-Vorbis Built-in error handling will obviously trip us up Other formats and features Metadata editing libraries don’t always allow changing of Fallout data we want Finding root Let’s use this for basic stuff like ID3 tags and Vorbis causes comments Collateral damage and Make your own frame parser future directions Sometimes quick and easy, sometimes painful Summary But turns up some great bugs The fuzzer’s toolbox A few tools to make fuzzing and parsing easier Introduction hachoir: Dissects many file types visually Overview Containers mutagen: Help in mangling audio tags and understanding and Codecs file layout Fuzzbox Fuzzing Techniques vbindiff: Shows differences between fuzzed and non-fuzzed Case study: Ogg-Vorbis files Other formats and features bvi: A hex editor with keybindings similar to a certain one Fallout true editor Finding root causes bbe: sed for binary streams Collateral damage and gdb: Love it or hate it, it’s all you get future directions Summary Case study: Ogg-Vorbis Ogg frame structure Excellent free codec Introduction Well documented Overview Not just for hippies Containers and Codecs Unencumbered status gets it into many things Fuzzbox Fuzzing Consists of an Ogg container. Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Vorbis frame structure Introduction Overview Containers and Codecs . and a Vorbis center Fuzzbox Fuzzing Also “Vorbis comments” Techniques Case study: Simple name/value pairs—can be any length or content, Ogg-Vorbis Other formats but some have special meaning and features Fallout Easiest to use existing libs for this—in this case, py-vorbis Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Vorbis comment structure Typical tags used in Vorbis comments: Introduction Overview Containers and Codecs Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Ogg and Vorbis frame data in Python Mercifully 8-bit aligned—Vorbis portion starts at “12version” Introduction Overview Containers and Codecs Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Comments and frame data loaded, feed to fuzzer Transforms are defined in randjunk.py: Introduction Overview Containers and Codecs Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Data fuzzed, writing back out Comments just write back in. Frame data needs to be packed: Introduction Overview Containers and Codecs Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Case study: Ogg-Vorbis Fixing the CRC Every Ogg frame has a CRC to prevent corruption. Also hides Introduction bugs, but easy enough to fix: Overview Containers and Codecs Fuzzbox Fuzzing Techniques Case study: Ogg-Vorbis Other formats and features Fallout Finding root causes Collateral damage and future directions Summary Other supported formats FLAC Introduction Lossless audio—uses Vorbis comments for metadata, can Overview use Ogg as a container (and usually does) Containers and Codecs MP3 Fuzzbox Metadata with ID3 Fuzzing Techniques ID3v1 Case study: Ogg-Vorbis Length limited Other formats and features Stored at end of file Fallout Great for rewriting, awful for streaming
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages41 Page
-
File Size-