[confidence] fuzz your way into web server's zoo

Andrey PlastunovDigital Security (dsec.ru)

Fuzz your way into the web server’s zoo

● Pentester at dsec.ru [ ]@DSecRU

@plastunovaa@osakaaa

[email protected]

[About]

[Agenda]

[The Zoo]

➢ Web proxies

[The Zoo]

➢ Web proxies○ Content-filtering

[The Zoo]

➢ Web proxies○ Content-filtering○ Tunneling

[The Zoo]

➢ Web proxies○ Content-filtering○ Tunneling○ ...

[The Zoo]

➢ Web proxies➢ Embedded systems

[The Zoo]


○ Routers and other network devices

[The Zoo]



○ Industrial devices

[The Zoo]



○ Industrial devices○ ...

[The Zoo]

➢ Web proxies➢ Embedded systems➢ Non-default modules

in mainstream servers

[The Zoo]


in mainstream servers➢ Other software

[The Zoo]


in mainstream servers➢ Other software------------------------------➔ Clients

[The Zoo]

[The HTTP]

[The HTTP]

POST /do/not/touch?my=server HTTP/1.1HOST: www.victim.comUser-Agent: Fuzzy browserContent-Type: text/htmlContent-Length: 42

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111

http://www.victim.com

[The HTTP]

POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nContent-Type: text/html\r\nContent-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n


[The HTTP]

POST /do/not/touch?my=server HTTP/1.1

[The HTTP]


Method

[The HTTP]


MethodMethods:STANDARD: GET POST HEAD OPTIONS TRACE CONNECT PUT DELETEWEBDAV: PROPFIND PROPPATH MKCOL COPY MOVE LOCK UNLOCK + versioning extensionsCUSTOM: Anything a developer can imagine (e.g. VALIDATE, CURATE, etc.)

[The HTTP]


Method[fuzzable]

[The HTTP]


Method[fuzzable]

URI

[The HTTP]


Method[fuzzable]

URI[fuzzable]

[The HTTP]


Method[fuzzable]

URI[fuzzable]

parameters

[The HTTP]


Method[fuzzable]

URI[fuzzable]

parameters[fuzzable]

[The HTTP]


Method[fuzzable]

URI[fuzzable]


protocol version

[The HTTP]


Method[fuzzable]

URI[fuzzable]


protocol version[fuzzable?]

[The HTTP]

POST http://server.name/do/not/touch?my=server HTTP/1.1

URI[fuzzable]



In case of connecting via proxy:

Method[fuzzable]

Server name

[The HTTP]

POST http://server.name/do/not/touch?my=server HTTP/1.1

URI[fuzzable]



In case of connecting via proxy:

Method[fuzzable]

Server name[fuzzable]

[The HTTP]

HOST: www.victim.com User-Agent: Fuzzy browser

Content-Type: text/html Content-Length: 42


[The HTTP]



Values


[The HTTP]



Values

Some google.com examples of complex headers:

Cookie: PREF=ID=d58a20b32d82347c:U=866f4da1ca2cc94c:FF=0:TM=1432555395:LM=1432555397:S=DzXF-knTmsVgJcCF; NID=67=H71Q3BwamddYRlgS5a9N0AZ1UqRAbcOcVORM3AJ3pb7i8WajPH7QDWuWNx5AYUvqBqrysr0QeuqG5QZfjJmEIMLoCSoPF0nA307pAb9GgmmA0Rl8Pg1ls8g4106DEbSz


[The HTTP]



Values[fuzzable]


[The HTTP]



Values[fuzzable]pair(header:value)


[The HTTP]



Values[fuzzable]pair(header:value)[fuzzable]


[The HTTP]

name=post_example&very_tricky_parameter=hi!

Content-type: application/x-www-form-urlencoded

[The HTTP]Content-type: application/x-www-form-urlencoded

name=post_example&very_tricky_parameter=hi!

Same as for URL data: [fuzzable]

[The HTTP]

---Boundary_valueContent-Disposition: form-data; name=”description”

test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”

\xde\xad\xbe\xef

---Boundary_value

Content-type: multipart/form-data

[The HTTP]



\xde\xad\xbe\xef

---Boundary_value

Content-type: multipart/form-datadata header

[The HTTP]



\xde\xad\xbe\xef

---Boundary_value

Content-type: multipart/form-datadata header[fuzzable]

[The HTTP]



\xde\xad\xbe\xef

---Boundary_value

Content-type: multipart/form-datadata header[fuzzable]

mime parameter

[The HTTP]



\xde\xad\xbe\xef

---Boundary_value


mime parameter[fuzzable]

data header[fuzzable]

[The HTTP]



\xde\xad\xbe\xef

---Boundary_value


plain text value




test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”

\xde\xad\xbe\xef

---Boundary_value

[The HTTP]Content-type: multipart/form-data

plain text value[fuzzable]



[The HTTP]



\xde\xad\xbe\xef

---Boundary_value


binary value

plain text value[fuzzable]mime parameter[fuzzable]


[The HTTP]



\xde\xad\xbe\xef

---Boundary_value


binary value[fuzzable]

plain text value[fuzzable]mime parameter[fuzzable]


[The HTTP]POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n


[The HTTP]

Delimiters

POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n


[The HTTP]POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n

Delimiters[fuzzable]


[Fuzzing approaches]

Web Server

Client(Fuzzer)

[Straight fuzzing]

Web Server

Client(Fuzzer)

(FUZZ) HTTP REQUEST

[Straight fuzzing]

Web Server

Client(Fuzzer)

(FUZZ) HTTP REQUEST

HTTP RESPONSE

[Straight fuzzing]

Web Server

(Fuzzer)Client

[Reverse fuzzing]

Web Server

(Fuzzer)Client

HTTP REQUEST

[Reverse fuzzing]

Web Server

(Fuzzer)Client

HTTP REQUEST

(FUZZ) HTTP RESPONSE

[Reverse fuzzing]

Web Server

(Fuzzer)Client

HTTP REQUEST


[Reverse fuzzing]

Difficulties:➢ There is no possibility to check the

client’s health by directly communicating with it

➢ Additional tweaks needed to re-run the client after each request

Web Server

(Fuzzer)

Client(Fuzzer)

HTTPProxy

[Double fuzzing]

Web Server

(Fuzzer)

Client(Fuzzer)

HTTPProxy

[Double fuzzing]

(FUZZ) HTTP REQUEST

Web Server

(Fuzzer)

Client(Fuzzer)

HTTPProxy

(FUZZ) HTTP REQUEST

[Double fuzzing]

[The detection]

➢ Traffic analysis

[The detection]

➢ Traffic analysis➢ Local process monitoring

[The detection]

➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from

target

[The detection]

➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from

target○ Comparing with reference response

[The detection]

p.s. still alpha version :-)

[The wuzzer]

[The wuzzer]

Generator

Queue Transmitter Target

Monitor

1.Task

2.Task

Wuzzer Target

4. Statistic

6. ResultsLog

3.REQ

5. RESP

7. Results

[The wuzzer]

Generator


Monitor

1.Task

2.Task

Wuzzer Target

4. Statistic

6. ResultsLog

3.REQ

5. RESP

7. Results

Paid advertisement =)

PyZZUF by @nezlooyhttps://github.com/nezlooy/pyZZUF

https://github.com/nezlooy/pyZZUF

https://github.com/nezlooy/pyZZUF

[The wuzzer]

Generator


Monitor

1.Task

2.Task

Wuzzer Target

4. Statistic

6. ResultsLog

3.REQ

5. RESP

7. Results

[The wuzzer]

Look for the wuzzer updates at

https://www.github.com/osakaaa

https://www.github.com/osakaaa/wuzzer

https://www.github.com/osakaaa/wuzzer

[The examples]

Content-Length: -2➢ An Integer Overflow causes a memory

consumption bug

[The examples]

[The examples]

Content-Length: 601

Crash due to an unhandled exception in strcpy_s

Content-Length: -0Integer Overflow causes Stack Buffer Overflow

[The examples]

Authorization: BasicLogin name > 16kbCauses stack buffer overflow (??)

[The examples]

Accept-language: en-US,,,,<1000>,,,,,ru-RUBuffer Overflow (???)

[The examples]

MS15-034:Range: Bytes: 18-18446744073709551615Integer Overflow

[The examples]

CVE:2014-5289: Long URI in POST request :POST /AAAAAAA….<736>...AAAAAStack Buffer Overflow

[The examples]

[The end]

[confidence] fuzz your way into web server's zoo

Software

http post http

server http1

http post donottouch

http host

web proxies contentfiltering

web servers zoo

texthtml contentlength

fuzzy browser contenttype