confidence 2015: fuzz your way into the web server's zoo - andrey plastunov
TRANSCRIPT
Andrey PlastunovDigital Security (dsec.ru)
Fuzz your way into the web server’s zoo
[Agenda]
[The Zoo]
➢ Web proxies
[The Zoo]
➢ Web proxies○ Content-filtering
[The Zoo]
➢ Web proxies○ Content-filtering○ Tunneling
[The Zoo]
➢ Web proxies○ Content-filtering○ Tunneling○ ...
[The Zoo]
➢ Web proxies➢ Embedded systems
[The Zoo]
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
[The Zoo]
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
○ Industrial devices
[The Zoo]
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
○ Industrial devices○ ...
[The Zoo]
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers
[The Zoo]
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers➢ Other software
[The Zoo]
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers➢ Other software------------------------------➔ Clients
[The Zoo]
[The HTTP]
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1HOST: www.victim.comUser-Agent: Fuzzy browserContent-Type: text/htmlContent-Length: 42
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nContent-Type: text/html\r\nContent-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method
Methods:STANDARD: GET POST HEAD OPTIONS TRACE CONNECT PUT DELETEWEBDAV: PROPFIND PROPPATH MKCOL COPY MOVE LOCK UNLOCK + versioning extensionsCUSTOM: Anything a developer can imagine (e.g. VALIDATE, CURATE, etc.)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
protocol version
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
[The HTTP]
POST http://server.name/do/not/touch?my=server HTTP/1.1
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
In case of connecting via proxy:
Method[fuzzable]
Server name
[The HTTP]
POST http://server.name/do/not/touch?my=server HTTP/1.1
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
In case of connecting via proxy:
Method[fuzzable]
Server name[fuzzable]
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
ValuesSome google.com examples of complex headers:
Cookie: PREF=ID=d58a20b32d82347c:U=866f4da1ca2cc94c:FF=0:TM=1432555395:LM=1432555397:S=DzXF-knTmsVgJcCF; NID=67=H71Q3BwamddYRlgS5a9N0AZ1UqRAbcOcVORM3AJ3pb7i8WajPH7QDWuWNx5AYUvqBqrysr0QeuqG5QZfjJmEIMLoCSoPF0nA307pAb9GgmmA0Rl8Pg1ls8g4106DEbSz
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]pair(header:value)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]pair(header:value)[fuzzable]
[The HTTP]
name=post_example&very_tricky_parameter=hi!
Content-type: application/x-www-form-urlencoded
[The HTTP]
Content-type: application/x-www-form-urlencoded
name=post_example&very_tricky_parameter=hi!
Same as for URL data: [fuzzable]
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header[fuzzable]
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header[fuzzable]
mime parameter
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
mime parameter[fuzzable]
data header[fuzzable]
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
plain text value
data header[fuzzable]
mime parameter[fuzzable]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
[The HTTP]
Content-type: multipart/form-data
plain text value[fuzzable]
data header[fuzzable]
mime parameter[fuzzable]
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
binary value
plain text value[fuzzable]mime parameter[fuzzable]
data header[fuzzable]
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
binary value[fuzzable]
plain text value[fuzzable]mime parameter[fuzzable]
data header[fuzzable]
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
[The HTTP]
Delimiters
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
Delimiters[fuzzable]
[Fuzzing approaches]
Web Server
Client(Fuzzer)
[Straight fuzzing]
Web Server
Client(Fuzzer)
(FUZZ) HTTP REQUEST
[Straight fuzzing]
Web Server
Client(Fuzzer)
(FUZZ) HTTP REQUEST
HTTP RESPONSE
[Straight fuzzing]
Web Server
(Fuzzer)
Client
[Reverse fuzzing]
Web Server
(Fuzzer)
Client
HTTP REQUEST
[Reverse fuzzing]
Web Server
(Fuzzer)
Client
HTTP REQUEST
(FUZZ) HTTP RESPONSE
[Reverse fuzzing]
Web Server
(Fuzzer)
Client
HTTP REQUEST
(FUZZ) HTTP RESPONSE
[Reverse fuzzing]
Difficulties:➢ There is no possibility to check the
client’s health by directly communicating with it
➢ Additional tweaks needed to re-run the client after each request
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
[Double fuzzing]
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
[Double fuzzing]
(FUZZ) HTTP REQUEST
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
(FUZZ) HTTP RESPONSE
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
(FUZZ) HTTP RESPONSE
[The detection]
➢ Traffic analysis
[The detection]
➢ Traffic analysis➢ Local process monitoring
[The detection]
➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from
target
[The detection]
➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from
target○ Comparing with reference response
[The detection]
p.s. still alpha version :-)
[The wuzzer]
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
Paid advertisement =)
PyZZUF by @nezlooyhttps://github.com/nezlooy/pyZZUF
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
[The wuzzer]
Look for the wuzzer updates at
https://www.github.com/osakaaa
[The examples]
Content-Length: -2➢ An Integer Overflow causes a memory
consumption bug
[The examples]
[The examples]
Content-Length: 601
Crash due to an unhandled exception in strcpy_s
[The examples]
Content-Length: 601
Crash due to an unhandled exception in strcpy_s
Content-Length: -0Integer Overflow causes Stack Buffer Overflow
[The examples]
Authorization: BasicLogin name > 16kbCauses stack buffer overflow (??)
[The examples]
Accept-language: en-US,,,,<1000>,,,,,ru-RUBuffer Overflow (???)
[The examples]
MS15-034:Range: Bytes: 18-18446744073709551615Integer Overflow
[The examples]
CVE:2014-5289: Long URI in POST request :POST /AAAAAAA….<736>...AAAAAStack Buffer Overflow
[The examples]
[The end]