Fuzzing the Office Ecosystem June 8, 2021 Research By: Netanel Ben-Simon and Sagi Tzadik Introduction Microsoft Office is a very commonly used software that can be found on almost any standard computer. Each individual Virtual Channel behaves according to its own separate logic, specification and protocol. For instance, sometimes small out-of-bounds reads will not trigger a crash depending on whats done with the read value, but can still hide a bigger looming threat. Well, Im not sure myself it is not documented (at least at the time I am writing this article). Over the last few years, we have reported various issues to Microsoft in various Windows components including GDI+ and have received CVEs for them. In this article, I will address different fuzzing types and show how to use one of them, WinAFL. On the other hand, as we said, we cant perform fixed message type fuzzing either at all because of state verification. Microsoft has its own implementation of RDP (client and server) built in Windows. Please run the In case of server fuzzing, if the server socket has the SO_REUSEADDR option set like the following code, then this may case 10055 error after some time fuzzing due to the accumulation of TIME_WAIT sockets when WinAFL restart the fuzzing process. The reason was that the client closes the channel as soon as the smallest thing goes wrong while handling an incoming PDU (length checking failure, unrecognized enum value). RDPDR is a Static Virtual Channel dedicated to redirecting access from the server to the client file system. Such anapproach allows you toavoid wasting extra time onthe program launch andinitialization andsignificantly increases thefuzzing speed. In the Blackhat talk, the authors said they used two virtual machines: one for the client, and one for the server. Introduction II. On a more serious note, if you cant reproduce the crash: Too often I found crashes that I couldnt reproduce and had no idea how to analyze. WinAFL supports loading a custom mutator from a third-party DLL. Its easy to lack motivation to have the right attitude at the right time towards a certain type of result, and actually getting stuff done (investigating, confirming/rejecting hypotheses, etc.). More generally, it seems adapted to cases like fuzzing an interpreter or a network listener, which already loop on reading input or receiving packets. WinAFL invokes the custom mutator before all the built-in mutations, and the custom mutator can skip all the built-in mutations by returning a non-zero value. It is a Device I/O Request PDU (0x4952) of sub-type Device Control Request (0x000e). Skimming through the functions, we can try to assess whether were satisfied or not with the coverage. What is the command line to run winafl.2. In summary, we make the following contributions: We identified the major challenges of fuzzing closed-source Windows applications; following instrumentation modes: These instrumentation modes are described in more detail in the separate Therefore, we will use DynamoRIO, a well-known dynamic binary instrumentation framework. Usually its in mstscax.dll, but it could also happen in another module. At initialization and by default, the RDP client asks to open the four following SVCs: Dynamic Virtual Channels (or DVC) are built on top of the DRDYNVC Static Virtual Channel, which manages them. It allows to copy several types of data (text, image, files) from server to client and from client to server. This can be enabled by giving -s option to afl-fuzz.exe. Therefore, toavoid any issues, lets compile WinAFL together with thelatest DynamoRIO version. 2 = Quite satisfied with my fuzzing campaigns (but there might be more to fuzz). The following cmake configuration options are supported: -DDynamoRIO_DIR=..\path\to\DynamoRIO\cmake - Needed to build the RDPWrap tampers with the server in order to allow local connections, and even concurrent sessions. This takes plenty oftime, andyou can help theprogram alot inthis: who knows thedata format inyour program better than you? This article will not explain the Remote Desktop Protocol in depth. We technically have everything we need to start WinAFL. Since the seeds include the header, the fuzzer will also mutate it, including the msgType field. Once the channel is closed, we cant send PDUs anymore. Do we really need that? If dissecting the payload does not yield anything, maybe its a stateful bug and youre doomed. I have described anideal target, but thereal one may befar from this ideal; so, I used as anexample astatically compiled program from my old stocks; its main executable file is8 MB insize. https://github.com/googleprojectzero/winafl/blob/master/readme_pt.md, -DUSE_COLOR=1 - color support (Windows 10 Anniversary edition or higher), -DUSE_DRSYMS=1 - Drsyms support (use symbols when available to obtain This will greatly help us develop a fuzzing harness. Also, you can use In App Persistence mode described above if your application runs the target function in a loop by its own. In laymans terms: imagine WinAFL finds a crash and saves the corresponding mutation. But you still need to make the client allocate enough memory to reach death by swap. Then I restart theprogram andsee that thetwo arguments are thepaths tomy test file anda temporary file. Forgetting this option while fuzzing the RDP client will inevitably nuke stability, and the fuzzing will likely not be coverage-guided. Dont forget todisable thedebug mode! UDP is also supported to improve performance for certain tasks such as bitmap or audio delivery. Therefore, as soon as there is an out-of-bounds access, the client will crash. So it seems that it is indeed used, rightfully, for security purposes. It describes the channels functioning quite exhaustively, as well as: With a good picture of the channel in mind, we can now start reversing the RDP client. Were gonna have to manually reconstruct the puzzle pieces! issues on Windows 10 v1809, though there are workarounds, Mutations are repeatedly performed on samples which must initially come from what we call a corpus. When do we stop exactly? Tekirda denize girilecek yerler. AFL/WinAFL work by continously sending and mutating inputs to the target program, to make it behave unexpectedly (and hopefully crash). This means we probably wont be able to find a lot of stateful bugs, if a PDU in a sequence triggers the channel closing. vulnerabilities in real products. Instead of: The following afl-fuzz options are supported: Please refer to the original AFL documentation for more info on these flags. In this bootcamp, you will learn the basics of how to fuzz closed-source binaries with WinAFL. Even though it finds fewer bugs, theyre usually easier to reproduce. modes with WinAFL: Before using WinAFL for the first time, you should read the documentation for The logic used inWinAFL has anumber ofsimple requirements tothe target function used for fuzzing. As an added bonus, we can take our user-space bugs and use them together with any . I did mention the function we target should be fuzzed in a loop without restarting the process. https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L111. But fuzzing the RDP client, I often got speeds between 50 and 1000 execs/s. However, understanding which sequence of PDUs made the client crash is hard, not to say often a lost cause. Note that you need a 64-bit winafl.dll build if WTSVirtualChannelOpenEx(WTS_CURRENT_SESSION. Lets examine themost important ofthem inorder. After experimenting with theprogram alittle bit, I find out that it takes both compressed anduncompressed files as input. Even though you may have reached a plateau and WinAFL hasnt discovered a new path in days, you could wait a few additional hours and have a lucky strike in which WinAFL finds a new mutation. Basic, core functionalities of an RDP client include: However, a lot of other information can be exchanged between an RDP client and an RDP server: sound, clipboard, support for special types of hardware, etc. We have just talked about how DynamoRIO monitors code coverage; it starts monitoring it when entering the target function, and stops on return. And thefirst minutes offuzzing bring first crashes! This way, I can split the resulting coverage per thread, making it less cluttered. It takes a set of test cases and throws them at the . -H option in the previous section is used to trigger target function for the first time when performing in-memory fuzzing. Of course, on systems with a moderate amount of RAM like an employees laptop, this may be dangerous. However, DynamoRIO does not have such a feature, and we cant do it through procdump or MiniDumpWriteDump either because the client is already a debuggee of DynamoRIO (drrun). Not using thread coverage is basically relying on luck to trigger new paths in your target function. We need to find a way to skip this condition to trigger the bug. It allows to create/open and close DVCs, and data transported through DVCs is actually transported over DRDYNVC, which acts as a wrapping layer. You are not able to reproduce the crash manually. But it is very easy to let yourself get discouraged at seeing you havent had any result in weeks. In this post, we detail our root cause analysis of one such vulnerability which we found using WinAFL: CVE-2021-1665 - GDI+ Remote Code Execution Vulnerability. Fuzzing feeds nonstandard data (either executable code, a dynamic library, or a driver) to a computer program in an attempt to cause a failure. 1 I am looking for the ways to fuzz Microsoft office, let's say Winword.exe. Network pentesting at the data link layer, Spying penguin. Figure 4. I resume theprogram execution andcontinue it until I see thepath tomy test file inthe list ofarguments. Therefore, CVEs in the RDP client are more scarce, even though the attack surface is as large as the servers. It is opened by default. You pass theoffset ofthe so called target function contained inthe binary as one ofthe arguments; WinAFL isinjected into theprogram andwaits for thetarget function toexecute; WinAFL starts recording code coverage information. I would like to thank Thalium for giving me the opportunity to work on this subject which I had a lot of fun with, and that also allowed me to skill up in Windows reverse engineering and fuzzing. The function selected for fuzzing must becompletely executed; therefore, I set abreakpoint atthe end ofthis function tomake sure that this requirement ismet andpress theF9 button inthe debugger. Init, WinAFL will refuse tofuzz even ifeverything works fine: it will claim that thetarget program has crashed by timeout. Mitigations Team for his contributions! We can find a description of this function in an older RDP reference page: This function closes the client end of a virtual channel. Everything works, everything is sunshine and rainbows, maybe weve even been lucky enough to find bugs. This article will primarily concentrate on what we need to know in order to fuzz Virtual Channels. Todo so, add the-debug parameter tothe arguments ofthe instrumentation library. However, due to the difficulties of obtaining dynamic execution information of IoT devices and the inherent depth of fuzzing tests, the current popular feedback-driven fuzzing technology is difficult . The objective was to go even further, by coming up with a general methodology for attacking Virtual Channels in RDP, and fuzz more of Microsofts RDP client with WinAFL. Based onthe CFile::Open prototypes from theMSDN documentation, thea1 anda2 variables are file paths. But what do we fuzz, and how do we get started? This is easily done with the WTS API I mentioned earlier, which allows to open, read from and write to a channel. Close the input file. Download andinstall Visual Studio 2019 Community Edition (when installing, select Develop classic C++ applications. The DLL should export the following two functions: We have implemented two sample DLLs for network-based applications fuzzing that you can customize for your own purposes. The Remote Desktop Protocol (RDP) is a proprietary protocol designed by Microsoft which allows the user of an RDP Client software to connect to a remote computer over the network with a graphical interface. Nothing particularly shocking right away. For RDPSND, our target methods name is rather straightforward. The client will save this list of formats in this->savedAudioFormats. Ifthe program operates normally, it should have thesame numbers oflines In pre_fuzz_handler andIn post_fuzz_handler. It uses thedetected syntax units togenerate new cases for fuzzing. For instance, if you notice the message type has a field which is an array of dynamic length, and that this length is coded inside another field and does not seem to match the actual number of elements in the array, maybe its an out-of-bounds bug about improper length checking. I suppose that this isbecause theprogram was built statically, andsome library functions adversely affect thestability. Each channel behaves independently, has a different protocol parser, different logic, lots of different structures, and can hide many bugs! Maybe this will lead me to new findings, and even a reproducible bug.. To avoid this, replace the SO_REUSEADDR option by SO_LINGER option in the server source code if available. More specifically, the I/O Request handler, DrDevice::ProcessIORequest, dispatches the PDU to a Smart Card sub-protocol handler (W32SCard::MsgIrpDeviceControl). Whereas what I should have been thinking all this time is: something is broken, and thats good because thats what Im aiming for. Imagine a Windows machine that hosts several critical services, and from which you can connect to another machine through RDP since the DOS hangs the entire system, these critical services would be impacted too. I came up with basically two different strategies for fuzzing a channel that I will detail: mixed message type fuzzing and fixed message type fuzzing. Two new ways to hide processes from antiviruses, SIGMAlarity jump. fast target execution with clever heuristics to find new execution paths in This implies a lot; we will talk about this. Heres what our fuzzing architecture resembles now. These can happen in parsing logic: in RDPSND (and similarly in many other channels), the Header includes a BodySize field which must be equal to the length of the actual PDU body. Although, this requires having reversed engineered the channel enough to have a good depiction of whats going on in mind more specifically, knowing what are all the functions and basic blocks we are interested in. I set breakpoints atits beginning andend toexamine its arguments andunderstand what happens tothem by theend ofits execution. This class is designed to introduce students to the best tools and technology available for automating vulnerability discovery and crash triage with a focus on delivering a practical approach to finding vulnerabilities in real world targets. CLIPRDR is a static virtual channel dedicated to synchronization of the clipboard between the server and the client. Unfortunately, the way channels globally work in RDP is somewhat circuitous and I never got around to fully figuring it out. Check a simple harness here: https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L41 How tofuzz theLinux kernel, synthesize valid JPEG files without any additional information, Herpaderping and Ghosting. It is also integrated inside many products of the Microsoft / Windows ecosystem such as Office itself, Outlook and Office Online. By giving below options, fuzzing input can be delivered into target process memory. Time toexamine contents ofthese files. CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253, https://github.com/DynamoRIO/dynamorio/releases, https://github.com/googleprojectzero/winafl/blob/master/readme_pt.md, https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L41, https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L111, CVE-2018-12853, CVE-2018-16024, CVE-2018-16023, CVE-2018-15995, CVE-2018-16004, CVE-2018-16005, CVE-2018-16007, CVE-2018-16009, CVE-2018-16010, CVE-2018-16043, CVE-2018-16045, CVE-2018-16046, CVE-2018-19719, CVE-2018-19720, CVE-2019-7045, [CVE-2021-33599, CVE-2021-33602, CVE-2021-40836, CVE-2021-40837, CVE-2022-28875, CVE-2022-28876, CVE-2022-28879, CVE-2022-28881, CVE-2022-28882, CVE-2022-28883, CVE-2022-28884, CVE-2022-28886, CVE-2022-28887 ], (Let me know if you know of any others, and I'll include them in the list), Dynamic instrumentation using DynamoRIO (. execution. Since were fuzzing a network client, we want our harness to act like a server that sends mutations to the client over the network. So what is this no-loop mode, you ask me? Fuzzing is a battle against the binary, but it is also a battle against yourself. Code coverage for our RDPSND fuzzing campaign using Lighthouse. Theexecution must reach thepoint ofreturn from thefunction chosen for fuzzing. We now have a working harness and are pretty much ready to fuzz. The issue then probably comes, as hinted by the debug spew, from RpcCreateVirtualChannel. It was found within a few minutes of fuzzing. Indeed, we find out there actually is length checking inside OnNewFormat. Update: check new WinAFL video here no screen freeze in that : https://www.youtube.com/watch?v=HLORLsNnPzoThis video will talk about how to Fuzz a simple C . in Kollective Kontiki listed above). There is a second DLL custom_winafl_server.dll that allows winAFL to act as a server and perform fuzzing of client-based applications. I will first explain the basics of the Remote Desktop Protocol. Perhaps multithreading affects it, too. This project is afl-analyze.c Remove redundant file API calls (unlink before open, seek before close) last year afl-fuzz.c Add initialization using socket & config changes (-F,G,H) last month afl-showmap.c Remove redundant file API calls (unlink before open, seek before close) last year afl-staticinstr.c Fix a protocol broken issue 3 years ago afl-staticinstr.h sign in Concretely, we only lack two elements to start fuzzing: A good lead is to start by reading Microsofts specification (e.g. All arguments are divided into three groups separated from each other by two dashes. In-memory fuzzing implementation not only restores register context, but also writes fuzzing input at the process memory pointing PDU buffer. end of each heap allocation. To bypass this constraint, there exists a wonderful tool called RDPWrap. Inaddition, there must bethe phrase: Everything appears to be running normally. Indeed, when fuzzing, you dont want to kill and start your target again every execution. WinAFL is a fuzzer for Windows which can take a corpus of input files, track which code is executed, and generate new inputs to execute new execution paths. For this purpose, it uses three techniques: Lets focus onthe classical first variant since its theeasiest andmost straightforward one. This is accomplished by selecting a target function (that the When WinAFL exits thetarget function, it pauses theprogram, substitutes theinput file, overwrites theRIP/EIP with theaddress ofthe function start, andcontinues; and. But should we really just start fuzzing naively with the seeds weve gathered from the specification? 05:31. You can easily bypass this protection by connecting to 127.0.0.2, which is equivalent. I also got two CVEs in FreeRDP. This function looks very interesting anddeserves adetailed examination. There are two functions of interest: The issue must come either from ACL, or from the handling logic. Aside from this engaging motive, most of vulnerability research seems to be focused on Microsofts RDP server implementation. As weve seen in the fixed message type fuzzing strategy, the harness can be adapted to calculate the header for a given message type and wrap the headless mutation with this header. Upgrading to 8 GB of RAM solved the issue, meaning the memory overcommitment was not as violent as in the CLIPRDR bug. Before going any further, I would like to tackle an important concern. Its also useful ifyour program tries tocall afunction using GetProcAddress. To improve the process startup time, WinAFL relies heavily on persistent If something behaves strangely, then I need to find the reason why. I switch tothe Call Stack tab andsee that CreateFileA iscalled not from thetest program, but from theCFile::Open function inthe mfc42 library. If WinAFL will not find the new target process within 10 seconds, it will terminate. As you can see, its used infour functions. Are you sure you want to create this branch? You still need to find target function and make sure that this function receives data from the network, parses it, and returns normally. It is also the base channel that hosts several sub-extensions such as the smart card extension, the printing extension or the ports extension. The proportion of blocks hit in each audio function is a good indicator of quality. The initial idea was to follow up on a conference talk from Blackhat Europe 2019. Finally, there are two kinds of Virtual Channels : static ones and dynamic ones. All you need is to set up the port to listen on for incoming connections from your target application. Shared memory is faster and can avoid some problems with files (e.g. As said above, thefunction selected for fuzzing shouldnt have side effects. When restoring register context, we patched WinAFL pre-fuzz handler to write fuzzing input at the memory pointed by 3rd argument register, and set 2nd argument register to length of fuzzing input. [] If it goes into red, you may be in trouble, since AFL will have difficulty discerning between meaningful and phantom effects of tweaking the input file. WinAFL can recover thesyntax ofthe targets data format (e.g. Copy them andthe folder with DynamoRIO tothe virtual machine you are going touse for fuzzing. Fuzzing is the generalized process of feeding random inputs to an executable program in order to create a crash. Thus, my exploit sends the malicious payloads with smaller 128 MB increments to adapt to the amount of RAM on the victims system. Our harness, the VC Server, can do much more than just echo mutations. It is also home to Martas and . Mutations are repeatedly performed on samples which must initially come from what we call a corpus. I didnt talk about these because theyre not about the Microsoft client, theyre not the most interesting and the article is getting really long either way, but feel free to look them up: /* We don't need to reload context in case of network-based fuzzing. But it has the advantage of stopping coverage measurement at return. A drawback of this strategy is that crash analysis becomes more difficult. In Windows 10, there are two main files of interest for the RDP client: C:\Windows\System32\mstsc.exe and C:\Windows\System32\mstscax.dll. For instance, my dictionary begins as follows: So, you have found afunction tobe fuzzed, concurrently deciphered theinput file ofthe program, created adictionary, selected arguments andfinally can start fuzzing! They are especially used by developers to create extensions, but also by red teamers to exfiltrate data, bypass firewalls, etc. This function is a virtual extension that can be used to protect per-session data in the virtual channel client DLL. What is fuzzing In particular, they found a bug by fuzzing the Virtual Channels of RDP using WinAFL. However, bugs can still happen before channel is closed, and some bugs may even not trigger it. To enable this option, you need to specify -l
Is Russell M Nelson A Vegetarian,
New Construction Homes In Raleigh, Nc Under 300k,
Jacksonville Giants Schedule 2022,
Maison De Joseph Kabila, Kingakati,
Articles W