User: Password:
Subscribe / Log in / New account


Fuzz testing

September 20, 2006

This article was contributed by Jake Edge.

Providing random or semi-random data to a program to see what happens is an excellent black-box testing technique known as fuzzing. Programs that generate this data are, unsurprisingly, called fuzzers and are a potent tool for folks doing penetration or other kinds of testing. After sitting through some interesting presentations at this summer's Black Hat Briefings, it seems like a good opportunity for an overview of fuzzing and some pointers to tools, techniques and research.

Generating bad input for programs is a time-honored tradition for test engineers, but human generated test cases tend to contain fewer tests than a fuzzer can produce. In addition, test engineers may make implicit assumptions about the kind of data that can or will be fed into a program where an automated, brainless fuzzer will just try anything. The simplest fuzzer will just send random bytes of data to a program and see what, if anything, happens. It might also vary the length of the data that it sends to explore buffer length issues and the like.

More sophisticated fuzzers extend those simple techniques with more domain specific data. A fuzzer targeted at web applications might generate GET and POST queries using (and abusing) the variables that the form or page submits as well as adding in some random variables and values. A fuzzer targeting a web browser might generate random input that conformed to HTML syntax, with random tags and attributes as well as abusing the defined tags. This domain specific approach tends to yield better results by limiting the search space but that can lead to some of the same implicit assumption problems that are prevalent in human generated tests. A combination of both simple and complex fuzzing is likely the best approach.

Open source tools for fuzzing various applications and protocols are available; Jack Koziol provides a nice, but not exhaustive, list. While it is not specifically a fuzzer, one must mention Metasploit, the swiss army knife of penetration testing, which provides a framework for all kinds of exploit testing. It would appear that the Ruby language is gaining some traction for penetration testing as Metasploit has been rewritten in Ruby for its next version and RFuzz provides a nice library for web application fuzzing. Most other popular languages (C, Perl, Python, Java) are represented as well.

Researchers at the University of Central Florida are trying to take fuzzing a step further by using information about what portions of the code were exercised by various inputs and whether they led to program crashes to drive a genetic algorithm that 'optimizes' for inputs that are likely to cause crashes. Obviously, this is no longer black-box testing, but it could be a fairly useful technique for projects that are looking for vulnerabilities in their own code. Slides from the Black Hat presentation are available here (PDF).

An input source that is often overlooked is data files. Because these files are often generated by a program, it is easy to write code that blindly believes what a data file says; this mistake has led to many exploits. Dan Kaminsky briefly talked about data format fuzzing in his "Black Ops 2006" presentation. He presented some ideas from his research into automated recognition of formats for the purposes of fuzzing them. Just feeding a random stream of bytes into a program meant to read a specific format is less likely to cause it to fail. With some rudimentary understanding of the format and fuzzing within that framework, much more interesting program failures can be provoked. Dan's slides are available here, unfortunately in PowerPoint format, but readable by

Internationalization (i18n) is another potentially exploitable area for many applications. Scott Stender presented some ideas on fuzzing i18n data at Black Hat, in particular using Unicode representations to get bad data past validators when different levels of the application handle character encodings differently. He gave some explicit examples of input that might validate within a web application, but be interpreted differently by a database leading to various kinds of misbehavior. His slides are here (PDF).

Fuzzing can be used to find all kinds of security issues with a program: buffer overflows, SQL injection, cross-site scripting, denial of service, etc. It is, of course, no silver bullet. It is just a powerful technique to help a developer or tester pinpoint areas where input validation and filtering are not working and to give some level of confidence that validation is working in other areas.

Comments (5 posted)

New vulnerabilities

bomberclone: information disclosure and denial of service

Package(s):bomberclone CVE #(s):CVE-2006-4005 CVE-2006-4006
Created:September 19, 2006 Updated:September 20, 2006
Description: Luigi Auriemma discovered two security related bugs in bomberclone, a free Bomberman clone. The program copies remotely provided data unchecked which could lead to a denial of service via an application crash. Bomberclone uses remotely provided data as length argument which can lead to the disclosure of private information.
Debian DSA-1180-1 bomberclone 2006-09-19

Comments (1 posted)

dokuwiki: arbitrary command execution

Package(s):dokuwiki CVE #(s):CVE-2006-4674 CVE-2006-4675 CVE-2006-4679
Created:September 15, 2006 Updated:September 20, 2006
Description: "rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR HTTP header, allowing the injection of arbitrary contents - such as PHP commands - into a file. Additionally, the accessory scripts installed in the "bin" DokuWiki directory are vulnerable to directory traversal attacks, allowing to copy and execute the previously injected code.
Gentoo 200609-10 dokuwiki 2006-09-14

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CVE-2006-4565 CVE-2006-4566 CVE-2006-4571 CVE-2006-4253 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569
Created:September 15, 2006 Updated:November 14, 2006
Description: Two flaws were found in the way Firefox/Thunderbird processed certain regular expressions. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)

A number of flaws were found in Firefox/Thunderbird. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4571)

A flaw was found in the handling of JavaScript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4253)

A flaw was found in the Firefox/Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567)

Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568)

Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569)

Debian DSA-1210-1 mozilla-firefox 2006-11-14
Gentoo 200610-04 seamonkey 2006-10-16
Ubuntu USN-361-1 mozilla 2006-10-10
Debian DSA-1192-1 mozilla 2006-10-06
Gentoo 200610-01 thunderbird 2006-10-04
Debian DSA-1191-1 mozilla-thunderbird 2006-10-05
Ubuntu USN-354-1 firefox 2006-10-02
Gentoo 200609-19 firefox 2006-09-28
Mandriva MDKSA-2006:169 mozilla-thunderbird 2006-09-22
Ubuntu USN-352-1 mozilla-thunderbird 2006-09-25
Ubuntu USN-351-1 firefox 2006-09-22
SuSE SUSE-SA:2006:054 MozillaFirefox,MozillaThunderbird,seamonkey 2006-09-22
Ubuntu USN-350-1 mozilla-thunderbird 2006-09-21
Mandriva MDKSA-2006:168 mozilla-firefox 2006-09-20
Red Hat RHSA-2006:0677-01 thunderbird 2006-09-15
Red Hat RHSA-2006:0676-01 seamonkey 2006-09-15
Red Hat RHSA-2006:0675-01 firefox 2006-09-15
rPath rPSA-2006-0169-1 firefox 2006-09-15
Slackware SSA:2006-257-03 mozilla 2006-09-15
Fedora FEDORA-2006-977 thunderbird 2006-09-14
Fedora FEDORA-2006-976 firefox 2006-09-14

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Gentoo 200609-09 ffmpeg 2006-09-13

Comments (2 posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Red Hat RHSA-2007:0469-01 gdb 2007-06-11
Red Hat RHSA-2007:0229-02 gdb 2007-05-01
Ubuntu USN-356-1 gdb 2006-10-02
Fedora FEDORA-2006-975 gdb 2006-09-14

Comments (none posted)

gnutls: signature forge vulnerability

Package(s):gnutls CVE #(s):CVE-2006-4790
Created:September 14, 2006 Updated:September 26, 2006
Description: GnuTLS has a vulnerability with PKCS #1 v1.5 signatures. If an RSA key with exponent 3 is used, an attacker may be able to forge a PKCS #1 v1.5 signature.
Gentoo 200609-15 gnutls 2006-09-26
Debian DSA-1182-1 gnutls11 2006-09-22
Mandriva MDKSA-2006:166 gnutls 2006-09-19
Ubuntu USN-348-1 gnutls11, gnutls12 2006-09-18
Fedora FEDORA-2006-974 gnutls 2006-09-14
Red Hat RHSA-2006:0680-01 gnutls 2006-09-14

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:January 20, 2010
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Debian DSA-1974-1 gzip 2010-01-20
Fedora FEDORA-2007-557 lha 2007-05-31
Gentoo 200611-24 lha 2006-11-28
Fedora-Legacy FLSA:211760 gzip 2006-11-13
Fedora FEDORA-2006-989 gzip 2006-10-10
SuSE SUSE-SA:2006:056 gzip 2006-09-26
Gentoo 200609-13 gzip 2006-09-23
Trustix TSLSA-2006-0052 freetype, gnutls, gzip 2006-09-22
Mandriva MDKSA-2006:167 gzip 2006-09-20
Slackware SSA:2006-262-01 gzip 2006-09-20
OpenPKG OpenPKG-SA-2006.020 gzip 2006-09-20
Debian DSA-1181-1 gzip 2006-09-19
rPath rPSA-2006-0170-1 gzip 2006-09-19
Ubuntu USN-349-1 gzip 2006-09-19
Red Hat RHSA-2006:0667-01 gzip 2006-09-19

Comments (1 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:January 5, 2009
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Red Hat RHSA-2008:0787-01 kernel 2009-01-05
Red Hat RHSA-2007:1049-01 kernel 2007-12-03
Mandriva MDKSA-2006:182 kernel 2006-10-11
Red Hat RHSA-2006:0689-01 kernel 2006-10-05
Debian DSA-1184-2 kernel-source-2.6.8 2006-09-26
Debian DSA-1184-1 kernel-source-2.6.8 2006-09-25
Debian DSA-1183-1 kernel-source-2.4.27 2006-09-25
Ubuntu USN-347-1 linux-source-2.6.10/-2.6.12/-2.6.15 2006-09-18

Comments (none posted)

nss: signature forgery vulnerability

Package(s):nss CVE #(s):CVE-2006-4340
Created:September 15, 2006 Updated:October 18, 2006
Description: Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that which would be incorrectly verified by the NSS library.
Gentoo 200610-06 nss 2006-10-17
SuSE SUSE-SA:2006:055 openssl,mozilla-nss 2006-09-22
Fedora FEDORA-2006-979 nss 2006-09-14

Comments (1 posted)

usermin: programming error

Package(s):usermin CVE #(s):CVE-2006-4246
Created:September 15, 2006 Updated:September 20, 2006
Description: Hendrik Weimer discovered that it is possible for a normal user to disable the login shell of the root account via usermin, a web-based administration tool.
Debian DSA-1177-1 usermin 2006-09-15

Comments (none posted)

zope2.7: information disclosure

Package(s):zope2.7 CVE #(s):CVE-2006-4684
Created:September 14, 2006 Updated:September 20, 2006
Description: Version 2.7 of Zope has an information disclosure vulnerability. The csv_table directive is not disabled in web pages containing ReST markup. Files that the Zope server has access to can be exposed.
Debian DSA-1176-1 zope2.7 2006-09-13

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds