Harden it and use Address Sanitizer to find more interesting inputs: Compile xpdf using afl’s gcc or clang, for me clang ended up running xpdf faster.I simply placed a continue inside the for loop right before the writes starting with the line: if (!strcmp(ppmRoot, “-“)). Edit pdftoppm.c and patch out the output file write.Your target needs to accept an input file and should fully parse the input PDF.Unpack xpdf v4.x sourcecode into /dev/shm so we are working in RAM.Let me share with you an example on xpdf. I have set up fuzzing for 3 different targets in parallel: xpdf, mupdf and ghostscript. Furthermore we should patch out any output file writes for more speed. Also, you’ll need to compile the open source reader using one of afl’s compilers. We try to compile everything statically and run everything from memory, in order to gain more executions per second. Now unpack it into /dev/shm, which is shared memory. Install afl on it and download the open source reader tarball. In order to fuzz open source readers on Linux you should get yourself a couple of vm’s with a distro you like. Also, it leverages Linux forking to run hundreds or even thousands of executions of your target per second per processor core. ![]() And so I did.Īmongst the most popular fuzzers is American Fuzzy Lop (afl-fuzz) by Instead of just continuously throwing random input files at a target, afl actually learns what the input file format looks like by covering the code paths (edges to be exact) of the target application. His suggestion was to create a large enough PDF corpus on open source PDF readers and throw that corpus at Adobe Reader. Researcher explained to me it’s hard to get coverage on a target like Adobe Reader, mostly because it’s slow and hard to orchestrate. Generating corpus on open source PDF readers Now let’s see how we can attack our target. Perhaps you’ll find out Adobe Reader uses libtiff, which learns us that might be a way in. Open up some of the executables / DLL’s in a disassembler and see what you can make up of the symbols (if any) and references. Many ways to Romeįuzzing a complex target like Adobe Reader requires you to get to know the target really well. With harder targets besides luck, you’ll need better ideas than throwing around random inputs. If you are lucky, one or more inputs will crash the target. input files) as you can and running them as fast as you can against your target. The basic idea is generating as many inputs (e.g. Endless possibilities to try and force crashes on targets. ![]() And in case of a hard target like Adobe Reader, this can take forever.ĭiving into fuzzing you’ll find out it’s a world on its own. So how do you find these bugs? The answer is fuzzing. ![]() Perhaps one to leak a DLL address to bypass ASLR and another one which overwrites an exception handler address and triggers a crash. It’s hard to end up with reliable code execution.īut before you can start building an exploit you need to trigger a bug or multiple bugs. Amongst others: Data Execution Protection (DEP: prevents your code from being executed), Address Space Layout Randomization (ASLR: where in memory is my code anyway?), Sandboxing (you need to escape this one, it limits what your code can do). There are so many mitigations to work through once you have an exploitable crash. Wow did I underestimate this one! I told myself it would take quite some time to build a reliable exploit once I found a bug in Adobe Reader. I would say, to my knowledge, that Adobe Reader, Office and the well-known internet browsers are the top 5 well known and hardest application targets to find exploitable vulnerabilities in. Also, my assumption was that it would be easier to find bugs in a PDF reader than in a browser like Chrome. The reason I chose Adobe Reader is primarily that it’s a well-known application, offering reasonable bounties for example through submission to the ZDI. I got completely hooked during Exploit Development Bootcamp, after which I treated myself to the Advanced class as well. Reverse engineering has always been a passion of mine and binary exploitation seems to get pretty close. Reading through disassemblies, walking along with code being executed in a debugger, memory corruption, etc. The reason I switched is my passion for low-level engineering. About time to write about something new and hopefully interesting! Having switched my focus from websites to binaries a new world opened up to me. It has been half a year since my last blog post covering an IDOR in a website API.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |