Full Disclosure mailing list archives
Re: Fuzzing Microsoft Office
From: "Disco Jonny" <discojonny () gmail com>
Date: Tue, 11 Jul 2006 16:25:31 +0100
hi, On 11/07/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Tue, 11 Jul 2006 13:52:49 BST, Disco Jonny said: Out of curiosity, how do you determine conclusively that they're in fact different crashes, rather than just different symptoms of the same problem?
by using a controlled environment and setting appropriate weights. But yes, it is not an easy task, but one i am quite close to mastering. and by mapping the file headers/format (yeah this can be done with input validation too) - this is why i am only working with paragraphs and bulletpoints / numbered lists at the moment. :) - smaller applications succumb a lot quicker, maybe you could to the whole app in one go with them... There are a few tricks that i dont want to go into here - maybe after i have got it nailed down then I will.
For instance, a bounds check on string A that trashes memory - can manifest as almost *anything*, as it depends on what the *next* thing in memory is, and when/how it gets dereferenced. This is particularly an issue when it's heap corruption. If the previous sentence had 2 bold strings, then thing B on the heap gets splatted, causing one crash, but if there's an italic string, then it's C that gets trashed, causing a different manifestation.
Ah yes, but this is not how i test. I dont just attach a debugger and off i go. I actually map the process path, vars and how they are used. every file i launch i know what it should be doing, i then compare this against a map of what it has already done. (im not sure if this is making sense - its quite hard to explain without giving it all away ;) using this method you can also find race conditions, heap overflows, integer overflows, etc (i have only found a handful of bugs where the bug ittself causes the eip to be overwritten.) the bugs i tend to find are much more subtle. so just to say again, I am not just checking for exceptions. I see every file run as more information that i can get, and i grab it all. (the only diff between white box and black box is information.) the main trouble is not if the next sentience contains "A quick brown fox" then next time it contains "But the fox was quick" - thats just a retarded way to test. the issue is when the last program loaded was firefox, then this word file. - i have no elegant solution for this... yet... i got some good ideas, but we shall see.
It's still the same bug with A though.
yeah, and it is a lot more obvious a lot earlier on (if you map a program, rather than just look for exceptions). just cause 2 bugs have an exception on the same instruction with the same value does not mean that they are the same. (one could get its null from DS:EAX + 8 (which == 00000000) then go into a function with eax as 00000000, where as another might wipe out EAX with something else, then go into the same function. - two different bugs, with exactly the same results. this works in reverse too. i hope this helps a little... erm, i guess i could try to explain it better if you want? cheers, dj. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fuzzing Microsoft Office naveed (Jul 11)
- Re: Fuzzing Microsoft Office ad () heapoverflow com (Jul 11)
- Re: Fuzzing Microsoft Office naveed (Jul 11)
- Re: Fuzzing Microsoft Office Disco Jonny (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office Disco Jonny (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office ad () heapoverflow com (Jul 11)
- <Possible follow-ups>
- Re: Fuzzing Microsoft Office Gadi Evron (Jul 11)