Tuesday, June 22, 2010

Fuzzers and fuzzing

It's been a while now i was trying to time to test some fuzzers. Fuzzing as it is defined in Microsoft's SDL (Security Development Lifecycle):

"Fuzzing is a testing technique that can help find denial of service and security vulnerabilities in software. The principle of fuzzing is very simple: create invalid data, force an application to consume that malformed data, and then observe the application as it executes. If the application crashes, then a bug may have been found in the target application. By identifying this crash, you are able to quickly target potential problems in the underlying code and determine if changes are needed to fix the crash (and any related potential security issues) from affecting your users."

Microsoft is providing minifuzz for free (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=b2307ca4-638f-4641-9946-dc0a5abe8513) and was the first choice of the day.

After installing minifuzz and running it we get the following screen:

There are two options that we really have to insert here, the rest can stay on the default. The options that we need are, the process to fuzz and the location of the Template files. Template files are files that we will provide at the application in order to test it. These files are the normal input files that the application should accept. For my case i choose to try Easy RM to MP3 Converter an older version that it's known for the vulnerabilities ( http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ )

Here is the fuzzer working

Quotting again the SDL process from Microsoft,
Fuzzing, as an SDL requirement, requires a minimum of 100,000 malformed files per file parser. So if your application parses three discrete file formats, .FOO files and .BAR files, then you need to create and correctly parse (ie; not crash) 100,000 FOO files and 100,000 BAR files. 

So be ready for long hours. In another post we will see other fuzzers with examples.

Thursday, June 3, 2010

Flood bots and others

Today i found a bot running in a client's server system. The bot is designed for flood mainly and as it state in its name "Enjoy FloodBot based on OverKill". The problem on the server was a website that had an sql injection point, from there the attackers were able to take control on the site and add files through the custom cms. The content of the bot consist mainly of executables to perform flood attacks.

Link for research follows.

Flood Bot