But you still need to make the client allocate enough memory to reach death by swap. You signed in with another tab or window. Perhaps this channel is really meant not to be opened with the WTS API. . We also notice a few more channels that are blacklisted the same way. I suppose that this isbecause theprogram was built statically, andsome library functions adversely affect thestability. There is no guarantee whatsoever you will be able to reproduce the crash with this mutation only. If we find a crash, theres a high chance there are actually a lot of mutations that can trigger the same crash. Beheading the seeds (the fuzzer only needs to mutate on the bodies). More specifically, everytime a crash is encountered, WinAFL/DynamoRIO will now log the exception address, module and offset, timestamp, and also exception information (like if theres an access violation on read, which address was tried to be read). Imagine a Windows machine that hosts several critical services, and from which you can connect to another machine through RDP since the DOS hangs the entire system, these critical services would be impacted too. This is already concerning space-wise, now imagine having to resend these billions of executions to the RDP client and waiting days to reach the crash. This vulnerability resides in RDPDRs Printer sub-protocol. Anda dictionary will help you inthat. You can easily bypass this protection by connecting to 127.0.0.2, which is equivalent. WinAFL will save all the basic blocks encountered at each fuzzing iteration in a temporary buffer (in the thread of interest). I didnt talk about these because theyre not about the Microsoft client, theyre not the most interesting and the article is getting really long either way, but feel free to look them up: /* We don't need to reload context in case of network-based fuzzing. They also started reviewing this case for a potential bounty award. Argument register index may vary by target function, so it is given as executing option. RDP protocol stack from Explain Like I'm 5: Remote Desktop Protocol (RDP) . However, it will still restart from time to time: for instance, when reaching the max number of fuzzing iterations (-fuzz_iterations parameter), or simply because of crashes (if we find some). Having the module and offset is already of a huge help in understanding crashes though: start reversing the client where it crashed and work your way backwards. Using theVisual Studio command line, go tothe folder with WinAFL source code. Youll get tons of the same crashes in a row, which can heavily slow down fuzzing for certain periods of time. In this post, we detail our root cause analysis of one such vulnerability which we found using WinAFL: CVE-2021-1665 - GDI+ Remote Code Execution Vulnerability. The thing is, I spent an unreasonable amount of time thinking: this problem sucks, I cant go any further because of it, my setup is broken, I dont know why, and I am doomed because I cannot fuzz anymore. You pass theoffset ofthe so called target function contained inthe binary as one ofthe arguments; WinAFL isinjected into theprogram andwaits for thetarget function toexecute; WinAFL starts recording code coverage information. By activating PageHeap on mstsc.exe with the /full option, we ask Windows to place an inaccessible page at the end of each heap allocation. I would like to thank Thalium for giving me the opportunity to work on this subject which I had a lot of fun with, and that also allowed me to skill up in Windows reverse engineering and fuzzing. Heres what our fuzzing architecture resembles now. In this section, I will present some of my results in a few channels that I tried to fuzz. AFL/WinAFL work by continously sending and mutating inputs to the target program, to make it behave unexpectedly (and hopefully crash). Eventually, the value of the field OutputBufferLength (DWORD) is used for a malloc call on the client (inside DrUTL_AllocIOCompletePacket). When restoring register context, we patched WinAFL pre-fuzz handler to write fuzzing input at the memory pointed by 3rd argument register, and set 2nd argument register to length of fuzzing input. If guessing wont work, another possibility is to capture code coverage at the moment we send a PDU over the target virtual channel. but office don't have symbols (public symbols) which gives too much pain and too hard for tracing or investigating . WinAFL's custom_net_fuzzer.dll allows winAFL to perform network-based applications fuzzing that receive and parse network data. Especially, the ones that are opened by default and for which there is plenty of documentation. They can add functional enhancements to an RDP session. As an added bonus, we can take our user-space bugs and use them together with any . I will first explain the basics of the Remote Desktop Protocol. Learn more. The tool combines On a more serious note, if you cant reproduce the crash: Too often I found crashes that I couldnt reproduce and had no idea how to analyze. Based onthe contents ofthe test file, it iscompressed, orencrypted, orencoded insome way. Use Git or checkout with SVN using the web URL. This new mutation could snowball into dozens of new paths, including a crash that leads to the next big RCE. Basic, core functionalities of an RDP client include: However, a lot of other information can be exchanged between an RDP client and an RDP server: sound, clipboard, support for special types of hardware, etc. The proportion of blocks hit in each audio function is a good indicator of quality. Of course, many crashes can still happen at the first depth level. This is a critical fact we must take into account for when we are fuzzing later! It is worth noting a crash in an unknown module could mean the execution flow was redirected, which accounts for the most interesting bugs :). AFL is a popular fuzzing tool for coverage-guided fuzzing. When theprogram execution reaches theend ofthe function, edit thearguments, align thestack, change theRIP/EIP tothe beginning ofthe function, etc. 2021-07-22 Sent vulnerability reports to Microsoft Security Response Center. Your goal isto increase thenumber ofpaths found per second. Here are the results after just three days of fuzzing: Here are the results after just three days of fuzzing: When do we stop exactly? Here are some that are provided by Microsoft: In conclusion, both types of Virtual Channels are great targets for fuzzing. In summary, we make the following contributions: We identied the major challenges of fuzzing closed-source Windows applications; In this case, just reverse to understand the root cause, analyze risk, and maybe grow the crash into a bigger vulnerability. If nothing happens, download GitHub Desktop and try again. If you are interested in that, there are other resources out there that will explain it well, such as articles, or even the official Microsoft specification itself. I came up with basically two different strategies for fuzzing a channel that I will detail: mixed message type fuzzing and fixed message type fuzzing. Indeed, any vulnerability found in these will directly impact most RDP clients. It would be painfully slow, especially with the RDP client, which can sometimes take 10 or 20 seconds to connect. Then, I will talk about my setup with WinAFL and fuzzing methodology. So, my strategy isto go up thecall stack until I find asuitable function. So it seems that it is indeed used, rightfully, for security purposes. By replaying the whole history, you may hope the client behaves in a deterministic enough way that it reproduces the crash. WinAFL has been successfully used to identify bugs in Windows software, such as the following: If you are building with DynamoRIO support, download and build how to check program is getting instrumented correctly under dynamorio?3. In this method, we directly deliver sample into process memory. But ifyou pay attention tothe arguments, youll realize that thetarget wants toopen some ofits service files, not thetest file. WinAFL can recover thesyntax ofthe targets data format (e.g. Therefore, toavoid any issues, lets compile WinAFL together with thelatest DynamoRIO version. see googleprojectzero/winafl#145. In particular, DVCs can be opened and closed on the fly during an RDP session by the server. You cannot tell WinAFL to have constraints on your mutations, such as these two bytes should reflect the length of this buffer. I want to know which modules or functions does parsing the file formats like RTF,.DOCX,.DOC etc.. This isgood because its always preferable tofuzz uncompressed files: thecode coverage ismuch better andthe chance todiscover more interesting features ishigher. Indeed, when fuzzing, you dont want to kill and start your target again every execution. In this bootcamp, you will learn the basics of how to fuzz closed-source binaries with WinAFL. This way, I can split the resulting coverage per thread, making it less cluttered. Type the following commands. By that, I mean that unlike the other channels, its a real state machine with proper state verification, and it is even documented. Tekirda denize girilecek yerler. If a program always behaves the same for the same input data, it will earn a score of 100%. We have just talked about how DynamoRIO monitors code coverage; it starts monitoring it when entering the target function, and stops on return. Maybe this will lead me to new findings, and even a reproducible bug.. the specific instrumentation mode you are interested in. The reason was that the client closes the channel as soon as the smallest thing goes wrong while handling an incoming PDU (length checking failure, unrecognized enum value). You can use these tags: Last but not least about execution of the RDP client while fuzzing. If you havent already, check it out now (or after having finished reading this article)! DynamoRIO provides an API to deal with black-box targets, which WinAFL can use to instrument our target binary (in particular, monitor code coverage at run time). But it has the advantage of stopping coverage measurement at return. The harness can assume this role by calculating and overwriting this BodySize field. It is assumed that the target process will be restarted by an external script (or by the system itself). This article will not explain the Remote Desktop Protocol in depth. in Kollective Kontiki listed above). To illustrate this part, I will use the first channel I decided to attack: the RDPSND channel. The target being a network client, AFL is a popular fuzzing tool for coverage-guided fuzzing. Therefore, as soon as there is an out-of-bounds access, the client will crash. The following is a description of how . Were not gonna fuzz this channel forever, weve still got many other places to fuzz. Parsing complicated formats can be. After installing Visual Studio, youll see inthe Start menu shortcuts opening theVisual Studio command prompt: (1) x86 Native Tools Command Prompt for VS 2019; and(2) x64 Native Tools Command Prompt for VS 2019. The second one needs a bit more effort to setup, but allows to go more in depth in each message types logic. Shared memory is faster and can avoid some problems with files (e.g. Ifyou intent tofuzz parsers ofsome well-known file formats, Google can help you alot. This wont bring you any additional findings, but will slow down thefuzzing process significantly. The Art of Fuzzing - Demo 12- Using PageHeap and ApplicationVerifier to find bug. Indeed, WTSAPI32 eventually ends up in RPCRT4.DLL, responsible for Remote Procedure Calls in Windows. Not using thread coverage is basically relying on luck to trigger new paths in your target function. The Remote Desktop Protocol provides multiplexed management of multiple virtual channels. If you haven't played around with WinAFL, it's a massive fuzzer created by Ivan Fratric based on the lcumtuf's AFL which uses DynamoRIO to measure code coverage and the Windows API for memory and process creation. However, we found this option very useful and managed to find several vulnerabilities in network-based applications (e.g. There are many DVCs. create two users on the same virtual machine, User1 and User2; setup the RDP server with RDPWrap to allow remote connection for User1; use the RDP client on a User2 session, by connecting to 127.0.0.2 with the credentials of User1. Finally, there are two kinds of Virtual Channels : static ones and dynamic ones. -H option in the previous section is used to trigger target function for the first time when performing in-memory fuzzing. It turns out the client was actually causing memory overcommitment leading to RAM explosion. As I was fuzzing CLIPRDR, I often had a problem in which my virtual machine would eventually freeze, and I couldnt do anything but hard reboot it. Until current research about RDP fuzzing, server agent was used to send back fuzzing input. We now have a working harness and are pretty much ready to fuzz.
. When thenumber ofsuch iterations reaches some maximum (you determine it yourself), WinAFL restarts theprogram. Even though it finds fewer bugs, theyre usually easier to reproduce. Lighthouse is an IDA plugin to visualize code coverage. Fuzzing kernels has a set of additional challenges when compared to userland (or ring 3) fuzzing: First, crashes and timeouts mandate the use of virtualization to be able to catch faults and continue gracefully. Cyber attack scenario, Network Security. Let's say that our input binary has a size of 10 kB. Risk-wise, this is a case of remote system-wide denial of service. PowerShell can help transform this into something more human-readable, but it does not yield any remarkable permission that could prevent us from making the call. I kept blaming myself because the fuzzing setup is complex, unstable, and this was not the first time I was encoutering weird bugs. However, understanding which sequence of PDUs made the client crash is hard, not to say often a lost cause. It is opened by default. roving (Richo Healey) Distfuzz-AFL (Martijn Bogaard) AFLDFF (quantumvm) afl-launch (Ben Nagy) AFL Utils (rc0r) AFL crash analyzer (floyd) afl-extras (fekir) afl-fuzzing-scripts (Tobias Ospelt) afl-sid (Jacek Wielemborek) afl-monitor . afl-analyze.c Remove redundant file API calls (unlink before open, seek before close) last year afl-fuzz.c Add initialization using socket & config changes (-F,G,H) last month afl-showmap.c Remove redundant file API calls (unlink before open, seek before close) last year afl-staticinstr.c Fix a protocol broken issue 3 years ago afl-staticinstr.h To see the supported instrumentation flags, please refer to the documentation Some CVEs that came out during this period are CVE-2021-34535, CVE-2021-38631 and CVE-2021-41371. // Has wFormatNo changed since the last Wave PDU? WinAFL supports delivering samples via shared memory (as opposed to via a file, which is the default). To better reproduce the crash, we implemented machine context and call stack dump when crush occurs. For this reason, DynamoRIO has a -thread-coverage option. It is our harness which runs parallel to the RDP server. CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253, https://github.com/DynamoRIO/dynamorio/releases, https://github.com/googleprojectzero/winafl/blob/master/readme_pt.md, https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L41, https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L111, CVE-2018-12853, CVE-2018-16024, CVE-2018-16023, CVE-2018-15995, CVE-2018-16004, CVE-2018-16005, CVE-2018-16007, CVE-2018-16009, CVE-2018-16010, CVE-2018-16043, CVE-2018-16045, CVE-2018-16046, CVE-2018-19719, CVE-2018-19720, CVE-2019-7045, [CVE-2021-33599, CVE-2021-33602, CVE-2021-40836, CVE-2021-40837, CVE-2022-28875, CVE-2022-28876, CVE-2022-28879, CVE-2022-28881, CVE-2022-28882, CVE-2022-28883, CVE-2022-28884, CVE-2022-28886, CVE-2022-28887 ], (Let me know if you know of any others, and I'll include them in the list), Dynamic instrumentation using DynamoRIO (. 45:42. For more info about the original project, To improve the process startup time, WinAFL relies heavily on persistent To use it, specify the -A
