April 10, 2012

Brief SVG and Flash Fuzzing

We are just over a long weekend because of Easter bank holidays. It was an opportunity to do some kind of security experiments and I decided to improve my tiny fuzzers, and to run some brief tests with them.

Introduced SVG Fuzzing

I've been thinking about writing an SVG fuzzer for a long time, and now the time has come. It's only a few lines in source so far, and this one is written in C#. In my scenario, I don't think C is a good language to write fuzzer, and to write security testing tools in general. Despite this, I've got all of them written in C. It's time for change because I can see that it's much easier to expand C# program, so I might rewrite some of them. Anyway, the SVG fuzzer is mutation based. It currently supports to mix-up tags only, but has simple functionality to define the number of output files to generate, and the number of fuzzing rounds to apply on each sample. I have to look at the SVG specification and to inspect SVG files in more detail to find out more and more creative test cases.

I've got 130 template files that I currently use. I fuzzed them with the option to generate 1000 altered files from each input files, so all together I've got 130000 files.

The samples were generated to test browsers. When executed the test, Opera, with some exceptions, kept displaying a message "XML parsing failed" rather than showing up broken images. I thought it will pass all test cases because of bailing out early. That was not the case. I encountered some crashes but they all tried to access to memory address near null. At the moment, I don't know code execution is possible with those crashes but probably not. The first crash was at about sample number 1500 though.

When executed the test, Chrome and Firefox popped up JavaScript error messages on several occasions and the tests were stuck in until I manually closed the message boxes. It seemed that both browsers showed broken pictures rather than displaying error messages about failed parsing. None of them crashed though.

I had to disqualify Internet Explorer from the test because it kept popping up error messages, actually several and distinct error messages on all files nearly. I was able to suppress some of them by changing registry entries but still left a lot to resolve, and didn't immediately find a solution, so I consider resolving this in the future, probably in a generic way.

Fuzzing Flash Files

I have had about 5000 template samples, and targeted fuzzing control transfer instructions in a way to change the target addresses of the jumps. Generated about 300000 samples but didn't see Flash player crashing on any sample. Found a couple of infinite loops though.
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.