Re: [Gnash-dev] Has gnash been fuzzed?

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] Has gnash been fuzzed?

From:	Jacek Wielemborek
Subject:	Re: [Gnash-dev] Has gnash been fuzzed?
Date:	Thu, 19 Nov 2015 19:32:15 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

W dniu 19.11.2015 o 11:25, Sandro Santilli pisze:
> gnash -r2 -

Thanks! I managed to use it with AFL really quickly and already found
one crash:

address@hidden:~/fuzz-results/gnash# ~/bin/cwdump crashwalk.db



(1 of 9) - Hash:
42cf699aa3c84af55b5fa038a3b84dce.42cf699aa3c84af55b5fa038a3b84dce


---CRASH SUMMARY---



Filename: o/master/crashes/id:000006,sig:06,src:000009,op:havoc,rep:8



SHA1: 8d91c84e3729bbf2df58f8ea426e78a6f7247804



Classification: EXPLOITABLE



Hash: 42cf699aa3c84af55b5fa038a3b84dce.42cf699aa3c84af55b5fa038a3b84dce



Command: gtk-gnash -r 2 -



Faulting Frame:



   gnash::SWFMovieDefinition::read_all_swf @ 0x00007ffff7a4c4b7: in
/usr/lib/gnash/libgnashcore-0.8.11.so


Disassembly:



Stack Head (8 entries):



   raise                     @ 0x00007ffff3bcf107: in
/lib/x86_64-linux-gnu/libc-2.19.so (BL)


   abort                     @ 0x00007ffff3bd04e8: in
/lib/x86_64-linux-gnu/libc-2.19.so (BL)


   None                      @ 0x00007ffff3bc8226: in
/lib/x86_64-linux-gnu/libc-2.19.so (BL)


   __assert_fail             @ 0x00007ffff3bc82d2: in
/lib/x86_64-linux-gnu/libc-2.19.so (BL)


   gnash::SWFMovieDefinition @ 0x00007ffff7a4c4b7: in
/usr/lib/gnash/libgnashcore-0.8.11.so


   None                      @ 0x00007ffff442d5c0: in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21


   start_thread              @ 0x00007ffff3f4b0a4: in
/lib/x86_64-linux-gnu/libpthread-2.19.so


   clone                     @ 0x00007ffff3c8006d: in
/lib/x86_64-linux-gnu/libc-2.19.so (BL)


Registers:



rax=0x0000000000000000 rbx=0x00007ffff7fec000 rcx=0x00007ffff3bcf107
rdx=0x0000000000000006


rsi=0x000000000000510c rdi=0x000000000000431f rbp=0x00007ffff3cfed08
rsp=0x00007fffdcbfe6b8


 r8=0x00007fffd80008b0  r9=0xfefefeff092d6364 r10=0x0000000000000008
r11=0x0000000000000202


r12=0x00007ffff7b5baf9 r13=0x00007ffff7b5bca0 r14=0x00005555559424d0
r15=0x00007fffdcbff700


rip=0x00007ffff3bcf107 efl=0x0000000000000202  cs=0x0000000000000033
ss=0x000000000000002b


 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000
gs=0x0000000000000000


Extra Data:



   Description: Possible stack corruption



   Short description: PossibleStackCorruption (7/22)



   Explanation: GDB generated an error while unwinding the stack and/or
the stack contained return addresses that were not mapped in the
inferior's process address space and/or the stack pointer is pointing to
a location outside the defa
ult stack region. These conditions likely indicate stack corruption,
which is generally considered exploitable.


---END SUMMARY---
address@hidden:~/fuzz-results/gnash# gtk-gnash -r 2 - <
./o/master/crashes/id:000004*
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4260:(_snd_config_evaluate) function
snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_concat
returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_refer
returned error: No such file or directory
ALSA lib conf.c:4739:(snd_config_expand) Evaluate error: No such file or
directory
ALSA lib pcm.c:2267:(snd_pcm_open_noupdate) Unknown PCM default
gtk-gnash: ../../../libcore/parser/SWFMovieDefinition.cpp:450: void
gnash::SWFMovieDefinition::read_all_swf(): Assertion `startPos <=
_swf_end_pos' failed.
Aborted (core dumped)
address@hidden:~/fuzz-results/gnash# base64
./o/master/crashes/id:000004*


RldTCAAAAAAg2t3y+3t5WHVnd+8=

Here's a Docker file that you can use to reproduce the fuzzing:

FROM d33tah/afl-sid
RUN aflize gnash
RUN dpkg -i ~/pkgs/*
RUN apt-get -f install -y
RUN mkdir i
# Note to mailing list: below has to be in one line
RUN echo
'Q1dTCOgwAAB42t06+3tcxXVnd+/ujiTLNopBGK9dUVywKXHMIyU4tixZz41Xd927Akwdul2t7kqLV7vK7l1bDuEZCI+kxkmL8CMGGtq0CSmEQto0bdP3OymtbQxtSELIA1L6F/SHquecmbk7V9qV7H5fv69f9X2enTlz5pwz5zU='
| base64 -d > i/1
# The line above ended before #
ENTRYPOINT afl-fuzz-parallel -i i -o o -m none -- gtk-gnash -r 2 -

To use it, save it as Dockerfile and run:

sudo docker build --no-cache=true -t afl-gnash .
sudo docker run -ti afl-gnash

Let me know if you're having any problems - I'm still working on
afl-sid, so there might be some recent bugs.

Cheers,
d3tah

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/18
- Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/18
  - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/18
    - Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/18
    - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/18
    - Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/19
    - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek <=
    - Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/20
    - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/20
    - Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/20
    - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/20
    - Re: [Gnash-dev] Has gnash been fuzzed?, Sandro Santilli, 2015/11/20
    - Re: [Gnash-dev] Has gnash been fuzzed?, Jacek Wielemborek, 2015/11/20

Prev by Date: Re: [Gnash-dev] Has gnash been fuzzed?
Next by Date: Re: [Gnash-dev] Has gnash been fuzzed?
Previous by thread: Re: [Gnash-dev] Has gnash been fuzzed?
Next by thread: Re: [Gnash-dev] Has gnash been fuzzed?
Index(es):
- Date
- Thread