Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Announcing cross_fuzz, a potential 0-day in circulation, and more
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 1 Jan 2011 02:02:09 -0800

Hi list,

== SUMMARY ==

I am happy to announce the availability of cross_fuzz - an amazingly
effective but notoriously annoying cross-document DOM binding fuzzer that
helped identify about one hundred bugs in all browsers on the market - many
of said bugs exploitable - and is still finding more.

The fuzzer owes some of its efficiency to dynamically generating extremely
long-winding sequences of DOM operations across multiple documents,
inspecting returned objects, recursing into them, and creating circular node
references that stress-test garbage collection algorithms. More info about
the exact algorithm used is given here:

http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

The design of the fuzzer makes it unexpectedly difficult to get clean,
deterministic repros; to that effect, in the current versions of all the
affected browsers, we are still seeing a collection of elusive problems when
running the tool - and some not-so-elusive ones. I believe that at this
point, a broader community involvement may be instrumental to tracking down
and resolving these bugs.

*** I also believe that at least one of the vulnerabilities discovered by
cross_fuzz may be known to third parties - which makes getting this tool
out a priority. ***

== VENDOR RESPONSE / STATUS ==

* Internet Explorer: MSRC notified in July 2010. Fuzzer observed to trigger
  several exploitable crashes - e.g.:

  http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt

  ...ad well as some security-relevant GDI corruption issues.

  *** Reproducible, exploitable faults still present in current versions of
  the browser. I have reasons to believe that one of these vulnerabilities
  is known to third parties: http://goo.gl/7tcWh ***

  Comment: Vendor has acknowledged receiving the report in July (case
  10205jr), but has not contacted me again until my final ping in December.
  Following that contact attempt, they were able to quickly reproduce
  multiple exploitable crashes, and asked for the release of this tool to be
  postponed indefinitely. Since they have not provided an explanation as
  to why these issues could not be investigated earlier, I refused;
  more info here:

  http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_timeline.txt

* All WebKit browsers: WebKit project notified in July 2010. About two dozen
  crashes identified and addressed in bug 42959 and related efforts by
  several volunteers. Relevant patches generally released with attribution
  in security bulletins. Some extremely hard-to-debug memory corruption
  problems still occurring on trunk.

* Firefox: Mozilla notified in July 2010. Around 10 crashes addressed in bug
  581539, with attribution in security bulletins where appropriate. Fuzzing
  approach subsequently rolled into Jesse Ruderman's fuzzing infrastructure
  under bug 594645 in September; from that point on, about fifty additional
  bugs identified (generally with no specific attribution at patch time).
  Several tricky crashes still occurring on trunk.

  Note: Flash-related (npswf32.dll) bad read/write offset crashes are also
  common if the plugin is installed.

* Opera: vendor notified in July 2010. Update provided in December stated
  that Opera 11 fixes all the frequent crashes, and that a proper security
  advisory will be released at a later date. Release notes state: "Fixed a
  high severity issue; details will be disclosed at a later date". Several
  hard-to-debug crashes reportedly still waiting to be resolved.

  Note that with Opera, the fuzzer needs to be restarted frequently due
  to OOM conditions.

== DEMO / DOWNLOAD URL ==

Please see:
http://lcamtuf.coredump.cx/cross_fuzz/

== MISC NOTES ==

Cross_fuzz can be easily extended to fuzz any DOM-enabled documents
or browser plugins simply by providing new target documents. This may
be an interesting area for future research.

I believe that releasing the tool at this point is considerably more prudent
than the approach taken with ref_fuzz in 2008-2010:

  http://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html

For updates, you can actually follow me on Twitter (gasp):

  http://twitter.com/lcamtuf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Announcing cross_fuzz, a potential 0-day in circulation, and more Michal Zalewski (Jan 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault