Finding bugs in hivex with afl-fuzzer

Michał Zalewski’s blog has been even more interesting than usual lately: first he discovered that running “strings” on untrusted files can be exploitable, then he wrote an interesting article about pulling JPEG files out of thin air. In both cases he used his very practical fuzzer, American fuzzy lop (abbreviated to “afl”, also a breed of rabbit in case you were wondering).

It’s a very practical, easy to use, and dangerously good fuzzer. I’ve been running it on hivex — my library for reading the Windows registry, and found 3 crasher bugs within 48 hours (one of them within minutes) [Update: This turned out to be user error because I was mixing a newly built binary with the installed library. However it still demonstrated its effectiveness at finding bugs.]

Here’s how you too can exploit hivex and many other programs:

  1. Install afl (Fedora package review).
  2. Configure and build hivex like this:
    CC=/usr/bin/afl-gcc ./configure
  3. Copy the minimal hive to a new directory:
    mkdir input
    cp lib/minimal input/
  4. Run afl-fuzz:
    libtool --mode=execute afl-fuzz -i input -o output -f testme ./xml/hivexml testme

Sit back and watch afl find inputs that crash your program (see the output/crashes directory that afl creates).

Now my day will be spent examining the hivex bugs and submitting patches and/or CVEs for them.


Filed under Uncategorized

3 responses to “Finding bugs in hivex with afl-fuzzer

  1. Hi Richard WM jones we have refer your document that’s awesome , you mentioned lot of commands for modifying the image through guestfish . We request you as per our requirements what we want is when we copy a file or directory to some other destination with in the image we need full path for example.
    > cp-a /usr/lib64/python2.7/dist-packages/ /tmp/test/

    when we execute the above command we able to get only file only but we want like the following way.

    > /tmp/test/usr/lib64/python2.7/dist-packages/

    like the above requirement we can able to achieve through linux by providing –parent flag while copying,but guestfish supports only limited commands, we request you can we able to achieve this in the guestfish in comming versions.

  2. Pingback: Using American Fuzzy Lop on network clients | Richard WM Jones

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.