fuzzing NTPsec with afl
Royce Williams
royce at tycho.org
Mon Nov 21 23:11:12 UTC 2016
This can obviously wait until after the current CVE scramble dies down.
Below is how Stubman modified ntpd to be afl-friendly. I'm not sure,
but I think he modified ntpd to accept UDP "input" from stdin, and
created valid initial NTP UDP "packets" as test-case data with which
to to "seed" afl.
Until lcamtuf brings the network-aware fork of afl into the main tree,
something similar to this approach is probably the most
forward-compatible one. The other alternative is to use Birdwell's
network-aware fork[1], but it has fallen behind the main afl tree.
Taking the stdin approach obviously won't exercise any skipped
network-specific code paths. It may take some ingenuity to identify
the minimum change that keeps the maximum amount of important code
exercised.
If those minimal changes are turned into a compile-time option, this
would enable adding fuzzing to the rolling test suite, perhaps using
some of Susan's resources.
Such an option would also increase the number of people who could
quickly start fuzzing ntpsec. This latter may be a bug or a feature,
depending on your perspective. :)
Royce (tychotithonus on IRC)
1. https://github.com/jdbirdwell/afl
---------- Forwarded message ----------
From: Magnus Stubman <magnus at stubman.eu>
Date: Mon, Nov 21, 2016 at 11:32 AM
Subject: [afl-users] CVE-2016-7434 found with AFL.
To: afl-users at googlegroups.com
Hi guys,
I found CVE-2016-7434, remote pre-auth DoS in the latest version of
ntpd, using afl-fuzz by modifying ntpd to accept input from stdin, and
then sending it to itself over UDP.
Full writeup: http://dumpco.re/cve-2016-7434/
Relevant sample code of my instrumentation: http://dumpco.re/afl/#43
As can be seen in the asciinema below, I’m fuzzing with above 11k
executions pr second on a single core with ASAN. Therefore, I believe
that rewriting targets to accept testcases from stdin is superior
compared to using forks of afl which send packets over the network and
employ timeouts to estimate if the target is done processing the
testcase.
https://asciinema.org/a/1npswngnfah6m4m0et246e0lr
Michael, thanks for sharing your awesome tool.
Magnus.
More information about the devel
mailing list