Re: FuzzDiff tool

[Dan Rosenberg <drosenberg () vsecurity com>]

Henri,

> You have temporary file vulnerability in FuzzDiff
> (5b6b5c6c22c1103b4169b9fe6e7bfbc3
> c0ce0235f8f0026988c60a3217233c36d829ecdf). Maybe you want to use
> this module: http://docs.python.org/library/tempfile.html

This is a good example of the difference between a quick and dirty
script for accomplishing a simple task and a piece of production-ready
software.  FuzzDiff belongs to the first category.  I'm well aware of
what constitutes safe vs. unsafe temporary file usage, and I'll admit
that FuzzDiff does not use temporarily files safely by default.  I
would wager a guess that most homegrown scripts designed for personal
use aren't especially concerned with such things.  Seeing as there are
a number of parameters to tune in the script, I assumed that if you're
running this on a production system with multiple users (why?!?!) you
would simply change the path of the temporary file to one within your
home folder, for example.  Calling unsafe temporary file usage in a
script like this a "vulnerability" may be a bit of a stretch.  On the
other hand, it couldn't hurt to fix it, so I did.

> Please open bug-tracker for FuzzDiff and put the program under some
> version controlling software.

FuzzDiff is now hosted on Google Code at:
http://code.google.com/p/fuzzdiff/

Feel free to file bugs or feature requests there.  The temporary file
usage is fixed.  Ok, sure, if you have a world-writable /tmp directory
without a sticky bit, it may still be vulnerable.  Let's not get
nit-picky here.

Thanks,
Dan


> Best regards,
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxqiQQACgkQXf6hBi6kbk8/7wCgx4m4Wyv6i9GVfc9rNMLatDAW
> TQ4An1AqwYBkdJoCJ/7BefGFWXanIfSa
> =l+p+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

On Tue, Aug 17, 2010 at 9:05 AM, Henri Salo <henri () nerv fi> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 26 Jul 2010 16:53:28 -0400
> Dan Rosenberg <drosenberg () vsecurity com> wrote:
>
> > Hello,
> >
> > I'd like to announce FuzzDiff, a simple tool to help make crash
> > analysis during file format fuzzing a bit easier.  I'm sure many
> > people have written similar tools for their own purposes, but I
> > haven't seen any that are publicly available.  Hopefully at least one
> > person finds it useful.
> >
> > When provided with a fuzzed file, a corresponding original un-fuzzed
> > file, and the path to the targeted program, FuzzDiff will selectively
> > "un-fuzz" portions of the fuzzed file while re-launching the
> > application to monitor for crashes.  This will yield a file that still
> > crashes the target application, but contains a minimum set of changes
> > from the original, un-fuzzed file.  This can be useful in pinning down
> > the exact cause of a crash.
> >
> > The tool is written in Python and currently only works on Unix-based
> > systems, since it monitors for crashes by checking for SIGSEGV.  It
> > also assumes that the target program adheres to the syntax "[program]
> > [args] [input file]".  Both of these limitations can be easily worked
> > around.  The code is hardly what I'd call production-ready, but it
> > gets the job done.
> >
> > The tool is available at:
> > http://vsecurity.com/resources/tool
> >
> > Happy hacking,
> > Dan Rosenberg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/