Michał Zalewski’s blog has been even more interesting than usual lately: first he discovered that running “strings” on untrusted files can be exploitable, then he wrote an interesting article about pulling JPEG files out of thin air. In both cases he used his very practical fuzzer, American fuzzy lop (abbreviated to “afl”, also a breed of rabbit in case you were wondering).
It’s a very practical, easy to use, and dangerously good fuzzer. I’ve been running it on hivex — my library for reading the Windows registry, and
found 3 crasher bugs within 48 hours (one of them within minutes) [Update: This turned out to be user error because I was mixing a newly built binary with the installed libhivex.so library. However it still demonstrated its effectiveness at finding bugs.]
Here’s how you too can exploit hivex and many other programs:
- Install afl (Fedora package review).
- Configure and build hivex like this:
CC=/usr/bin/afl-gcc ./configure make
- Copy the minimal hive to a new directory:
mkdir input cp lib/minimal input/
- Run afl-fuzz:
libtool --mode=execute afl-fuzz -i input -o output -f testme ./xml/hivexml testme
Sit back and watch afl find inputs that crash your program (see the
output/crashes directory that afl creates).
Now my day will be spent examining the hivex bugs and submitting patches and/or CVEs for them.