Introduced SVG FuzzingI've been thinking about writing an SVG fuzzer for a long time, and now the time has come. It's only a few lines in source so far, and this one is written in C#. In my scenario, I don't think C is a good language to write fuzzer, and to write security testing tools in general. Despite this, I've got all of them written in C. It's time for change because I can see that it's much easier to expand C# program, so I might rewrite some of them. Anyway, the SVG fuzzer is mutation based. It currently supports to mix-up tags only, but has simple functionality to define the number of output files to generate, and the number of fuzzing rounds to apply on each sample. I have to look at the SVG specification and to inspect SVG files in more detail to find out more and more creative test cases.
I've got 130 template files that I currently use. I fuzzed them with the option to generate 1000 altered files from each input files, so all together I've got 130000 files.
The samples were generated to test browsers. When executed the test, Opera, with some exceptions, kept displaying a message "XML parsing failed" rather than showing up broken images. I thought it will pass all test cases because of bailing out early. That was not the case. I encountered some crashes but they all tried to access to memory address near null. At the moment, I don't know code execution is possible with those crashes but probably not. The first crash was at about sample number 1500 though.
I had to disqualify Internet Explorer from the test because it kept popping up error messages, actually several and distinct error messages on all files nearly. I was able to suppress some of them by changing registry entries but still left a lot to resolve, and didn't immediately find a solution, so I consider resolving this in the future, probably in a generic way.