CanSecWest 2013–Gödel’s Gourd

Slides from my talk at CanSecWest 2013 are online.  Thanks again to all the peeps who make this such a great conference year after year.

Gödel’s Gourd – Fuzzing for Logic Issues

Peach 3 Nears Release

Just realized how long it’s been since I’ve posted.  Been busy growing Déjà vu Security and working on the new version of Peach.  The new v3 has been in final testing and should released this week (cross-fingers).

The latest bits are always available from git via source forge.

Along with a new version of Peach we have moved to using a support forum instead of mailing list for this latest version.  The support forums are located here.

Changes to Fuzzing Strategies in Peach 2.3.8

Fuzzing strategies in Peach define the methodology for how data is mutated or modified in Peach.  Traditionally the strategy was specified on the command line and changed for all tests being run.  This proved limiting and required the person running the fuzzer to know which strategy to use.  Additionally, it was near impossible to pass arguments or additional information to the strategy.

With the latest commit of Peach 2.3.8 this is changing.  Instead of a command line parameter a new child element called <Strategy> can be specified in the <Test> element.  Additionally the strategy has the ability to parse attributes or sub-elements for configuration.  This allows different <Test> configurations to use different strategies.

Example:

<!– Our Test element will link together our state model and publisher –>
<Test name="HelloWorldTest">
    <StateModel ref="State"/>
    <Publisher class="stdout.Stdout" />
    <Strategy class="rand.RandomMutationStrategy"/>

</Test>

Peach Training @ CanSecWest 2011

I’m happy to announce that we will once again be offering the Peach training at CanSecWest 2011 in Vancouver, BC.  Register now for the best price!

http://cansecwest.com/dojos/2011/csw_2_01.html

Description

The entirety of the course is student centric, hands on, and lab intensive. On day one, students will be instructed on the use of the Peach Fuzzing Platform, from a practitioner’s perspective, learning the ways in which Peach can be used to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will build and run fuzzers that target real world applications.

On the second day, students will be exposed to the internals of Peach for a developer’s perspective. The Peach architecture and module interfaces will be explained in great detail as to equip students with the skills necessary to extend and adapt Peach to their custom needs. Students will then develop their own Peach extensions in a lab environment to reinforce these concepts.

Topics

Upon completion of this course, students will be enabled to create effective fuzzers that target:

• State-aware network protocol parsers
• N-tier applications
• Arbitrary APIs
• File parsers
• COM and Active/X components
• Extend the Peach Fuzzing Platform
• Apply these concepts and tools to their unique environment
• Utilize parallel fuzzing to increase fuzzing efficiency

 

Using Code Coverage to Select Fuzzing Sample Files

Note: This article covers features in Peach 2.3.7 which is currently in SVN.

Selecting good sample files to use when performing file fuzzing can make all the difference.  However, simply tossing several thousand files into a folder and calling it a day doesn’t make allot of sense.  Instead we can use code coverage to select the minimum number of files to get the most coverage from our target.  Peach includes a tool called “minset” to perform this task for us.

The minset tool is located in “c:\peach\tools\minset” and contains a test setup that can be run by saying “test.bat”.

Minset has several modes of operation, from simple to more complex.  We will first cover the simplest usage.

Simple Usage Example

Syntax:

minset [-k] –s samples -m minset command.exe %s

• -k               Optional argument when using graphical programs that do not automatically close
• -s samples    This is the folder containing sample files to get coverage of
• -m minset     This is the folder to place the minimum set of files into
• command.exe  The target executable to run
• %s                 Any arguments and also a placeholder for the filename (%s)

This usage will try all files specified by “samples” and place the minimum set of them into the folder “minset”.  The target command will get run as “command.exe filename”.

Example Usage – Command Line Target:

minset -s samples\*.png -m minset bin\pngcheck.exe %s

Example Usage – Graphical Target:

minset –k -s docs\*.doc -m minset "C:\Program Files (x86)\Microsoft Office
Office14\winword.exe" %s

Depending on the complexity of the target program, this type of code coverage can take a while.

Separated Tracing and Coverage Analysis

For complex programs, or when performing coverage on a large set of files you may want to distribute the task across several machines.  To support this minset is able to run just the coverage trace separate from the analysis portion.  This allows running coverage traces on multiple machines then running the analysis on the results.

Running Minset in Coverage Trace Mode

minset [-k] –s samples –t traces command.exe args %s

This command line will perform coverage traces using the sample files in “samples” and place the resulting traces into the folder “traces”.  This is the part you will want to distribute.

Running Minset in Analysis Mode

minset –s samples –t traces –m minset

All of your generated traces must be in “traces” and all of the sample files in “samples”.  Minset will perform the coverage analysis and place the minimum set of files into “minset”.

Normally the analysis process is not distributed, however for especially large sets of sample files you may wan to run the analysis after collecting traces on every node then combining the resulting minsets for a final pass.

Using .NET Assemblies with Peach 2

This is not a common task, but there have been a number of times when I’ve wanted to write something in C#/Microsoft .NET or have had access to a nice library.  Happily there is a python to .NET bridge that allows using .NET assemblies just like python classes.  These are the steps and software you will need to make it happen.

First, here is the setup I’ll be starting with:

• Windows 7 (32 or 64bit)
• ActiveState Python v2.5 32bit (c:\python25)
• Source version of Peach (from svn) (c:\peach)

Next you will need “Python for .NET” which you can download from here.  At the time of writing the binary version was for .NET 2.0 and Python 2.5.  I do not recommend compiling from scratch unless you know what your about.

Unzip the archive someplace.  For the sake of this article lets unzip it to “c:\pnet”.

You will also want to create your Peach PIT file and place it in this folder along with any python code you might have written.

To use a .NET assembly you can simply use “from/import” as normal.  The python patch will be searched just like for a python module.  So for example you could say “from System.Reflection import Assembly” and then you have access to the .NET Assembly class!

OKAY – Now that you have your PIT and some code that uses .NET it’s time to run everything.  This is were the source version of Peach comes in.  The “python.exe” that we got from Python for .NET will load the normal binary Python runtime, but also special code to interact with .NET.  This is all hidden, just run peach using this custom executable like normal:

python.exe c:\peach\peach.py mydotnet.xml

And that’s it!

NOTE FOR 64BIT USERS

If your on a 64bit machine you will get an error running this.  You must mark python.exe as requiring the 32bit .NET runtime.  This is fairly easy assuming you have the Windows SDK.

"c:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\x64\CorFlags.exe" python.exe /32BIT+

Looking forward to Peach 3

Peach 3 is the next major release of Peach and is currently under development.  Peach 3 will be a complete re-write of Peach using the C# language and .NET Framework.  We will keep cross-platform support thanks to the Mono project.

Features

• Cross platform support (Linux, OS X, Windows, etc.)
• Mono compatibility
• Backwards comparable with existing Peach definitions
• Easier to drive Peach programmatically
• Design to allow for next generation of fuzzing technology
• A number of GUI programs for:
  • Simple File Fuzzing
  • Simple Network Fuzzing

Reasons For Switch

• Better development tools
• Better GUI support (even cross-platform)
• Better dependency support (no more module hell)
• Much better XML library (schema validation!!)
  • Proper web services support!
• Full COM/DCOM support, etc.
• Language more suited to what Peach has become

Fuzzing SQL Stored Procedures

Another fun fuzzing target are SQL Stored Procedures.  This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment.  Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.

Peach see’s stored procedures as callable methods with parameters and possible return types.  This allows creating anything from super simple to very complex state machines around your set of stored procedures.  Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.

The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database.

Example 1 – Simple Stored Procedure

Our first example is very simple, we will have a single stored procedure called “testproc” that accepts a single parameter “parameter1” that is typed as a “varchar(255).”

?????? ????? ????

The MySQL database schema looks like this:

michael jackson

create table if not exists testtable (

   msg varchar(255)
);

delimiter //
CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255))
BEGIN
   insert into testtable (msg) values (parameter1);
END;
//

 

cameron

Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

       <Include ns="default" src="file:defaults.xml"/>
       <Include ns="pt" src="file:PeachTypes.xml"/>

       <DataModel name="TheDataModel">
               <String value="Peachy"/>
       </DataModel>

       <StateModel name="TheState" initialState="Initial">

               <State name="Initial">
                       <Action type="call" method="call testproc(?)">
                               <Param name="p1" type="in">
                                       <DataModel ref="TheDataModel"/>
                               </Param>
                       </Action>
               </State>
       </StateModel>

       <Test name="TheTest">
               <StateModel ref="TheState"/>

               <Publisher class="sql.Odbc">
                       <Param name="dsn" value="TestMySql/root/password"/>
               </Publisher>
       </Test>

       <Run name="DefaultRun">
               <Test ref="TheTest"/>
       </Run>
</Peach>

And thats it!  Now, obviously there is little point to fuzzing our example method.  The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native” stored procedures (those written in languages like C, or C++).

Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach!  If you have any questions please post them on the Peach mailing list.

Changing Defaults for Data Elements

One feature that has been much requested for Peach is the ability to change data element defaults, for example the default byte order for numbers, or string type (wchar, char, utf8, etc).  Now in Peach 2.3 this is possible by using the top level <Defaults> element.

To change the defaults for the Number element so they are unsigned and big endian you would use the following XML:

<Defaults>
  <Number signed="false" endian="big" />
</Defaults>

Fuzzing Shared Libraries

Fuzzing shared libraries is not the most common of tasks, but is a useful tool to have available.  Many times methods exposed by scripting languages such as JavaScript, PHP, etc are simply methods exposed by a shared library (DLL for you windows peeps).

Sadly most fuzzers do not support fuzzing shared libraries directly, so typically one was stuck dusting off something like SPIKE, or some other framework and writing some custom code to drive everything.  Things can get even more complicated if the exposed methods you are fuzzing take complex types comprised of structures with pointers to other structures, etc.

download this is it movie

Enter Peach.  Peach has always been capable of loading shared libraries and making function calls, however not until version 2.3 has Peach supported complex structure types and pointers.

Lets take a look at a few samples to get an idea of how easy this is with Peach.

Use Case #1  Non-complex data types

Out first example will emulate the follow code:

mydll.Initialize();
mydll.DoCoolThings( char* s );

First we will need to create a quick data model for our “s” parameter:

<DataModel name="s">
  <String value="Hello World!" />
</DataModel>

Next is the state model that will have the method calls:

<StateModel name="TheStateModel" initialState="State1">
  <State name="State1">
    <Action type="call" method="Initialize" />
    <Action type="call" method="DoCoolThings">
      <Param name="s" type="in">
        <DataModel ref="s" />
      </Param>
    </Action>
  </State>
</StateModel>

• ????? ????????? ?????????

And finally we will need to configure a publisher:

<Publisher class=”dll.Dll”>

  <Param name="library" value="mydll.dll" />
</Publisher>

And thats it!

Use Case #2 – Complex data types

Now, lets change to the definition of DoCoolThings to this:

struct otherstruct
{
  int a;
  int b;
};

struct mystruct
{
  struct otherstruct * val;
};

mydll.DoCoolThings( struct mystruct *s);

First we will need data models:

<DataModel name=”otherstruct”>
  <Number name=”a” size=”32” value=”0” />
  <Number name=”b” size=”32” value=”0” />
</DataModel>

<DataModel name=”mystruct” pointer=”true”>
  <Block ref=”otherstruct” pointer=”true” />
</DataModel>

Next we need the sate model:

<StateModel name=”TheStateModel” initialState=”State1”>
  <State name=”State1”>
    <Action type=”call” method=”Initialize” />
    <Action type=”call” method=”DoCoolThings”>
      <Param name=”s” type=”in”>
        <DataModel ref=”mystruct” />
      </Param>
    </Action>
  </State>
</StateModel>

And finally we will need to configure a publisher:

Zoe Saldana Neytiri

<Publisher class=”dll.Dll”>
  <Param name=”library” value=”mydll.dll” />
</Publisher>

And there you go. Easy! I hope this was a good introduction to fuzzing shared libraries with Peach.