Closed
Bug 413380
(fuzz-JSFF)
Opened 17 years ago
Closed 4 years ago
[meta] JSFF, a javascript file fuzzer
Categories
(Core :: Fuzzing, defect)
Core
Fuzzing
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: pvnick)
References
(Blocks 1 open bug)
Details
(Keywords: meta, sec-other, Whiteboard: [sg:nse meta])
Attachments
(2 files, 7 obsolete files)
I attached a simple javascript-based file fuzzer. It uses the following ways of fuzzing files: - Moves a block of data to another area of val, deleting the old block instance - Copies a block of data to another area of original val, leaving old instance - Overwrites data in original val with a block of code in val - Inserts a random-sized block of the same character into a random position of val - Inserts a random-sized block of garbage into a random position of val - Inserts a random-sized block of the same character into a random position of val, overwriting old data - Inserts a random-sized block of garbage into a random position of val, overwriting old data Getting started: 1. Place the files you want to fuzz into the templates folder. Every iteration, a file will be chosen at random from this folder to be fuzzed. 2. Edit ff.htm and change fuzzFolderPath to an existing folder where the testcases will be placed and templateFolderPath to the path of the template folder. It is important that these paths end in a slash. 3. If the files that are being fuzzed are not images, change the displayFile function to reflect loading procedures for your filetype. 4. Load ff.htm Note: The file fuzzer must be loaded locally to work. The file fuzzer will place all testcases in a unique folder within the fuzz directory. It will loop until a crash is found and the browser dies. To generate unlimited crashes, just have ff.htm load in an infinite loop.
Assignee | ||
Comment 1•17 years ago
|
||
I actually copied the fuzzing method descriptions from the comments in the fuzzer, so "val" refers to the parameter supplied to the function (the file contents). Just thought I'd clear that up.
Comment 2•17 years ago
|
||
Paul, thanks for that, it seems a really useful tool. Maybe this is something you find handy, I have some code that that can handle the files in the same place as where the current file is downloaded in. It's clumsy code, but I find it convenient (no need to have files/directories at a specific place). var activedir = window.location.href; activedir=activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,' '); //linux does it differently if (navigator.platform.toLowerCase().indexOf('linux')>=0) activedir = '/'+activedir; else { activedir=activedir.replace(/\//g,'\\'); } activedir = activedir.replace('%7B', '{'); activedir = activedir.replace('%7D', '}'); var dirsep = '\\'; if (navigator.platform.toLowerCase().indexOf('linux')>=0) dirsep = '/'; And then change this: var templateFolderPath = activedir + dirsep + "templates" + dirsep; var fuzzFolderPath = activedir + dirsep + "fuzz" + dirsep; (btw, I just filed bug 413931, a similar crash as bug 413373, I first thought I found it with your tool, but I actually already had it stored on your computer)
Comment 3•17 years ago
|
||
(In reply to comment #2) > (btw, I just filed bug 413931, a similar crash as bug 413373, I first thought I > found it with your tool, but I actually already had it stored on your computer) But I just found the same crash with your file fuzzer, so that's good news!
Comment 4•17 years ago
|
||
I added some code to try and fuzz certificates, I found bug 414003 with it. If you're interested, I can attach the code, but it is really hacky, and the certificate code is annoying, because it keeps popping up alert dialogs (which I don't know how to avoid). Btw, I think you had this: var fPath = "file://" + filePath.replace(/\\/,"/"); I added a g modifier after the regexp, to replace it globablly, which I think is more correct.
Assignee | ||
Comment 5•17 years ago
|
||
Here's a new version. Martijn, can you add your updates to this? Changes: -added template cache so you can run several instances of the fuzzer at once -fixed a bug in the operation selection -added delete random data -added Martijn's active directory code -fixed regexp bug
Attachment #298316 -
Attachment is obsolete: true
Assignee | ||
Comment 6•17 years ago
|
||
Btw, I changed the pause variable to half a second for something I was doing and forgot to change it back.
Comment 7•17 years ago
|
||
I added this code in a not really orderly way. You might some parts of it useful (or not).
Updated•17 years ago
|
Assignee | ||
Comment 8•17 years ago
|
||
-Fixed some bugs -Added some of Martijn's code for some file extensions -Most extensions are now supported -New JAR archive display technique crawls the archive and displays a random file source
Attachment #299349 -
Attachment is obsolete: true
Assignee | ||
Comment 9•17 years ago
|
||
Comment on attachment 299526 [details]
mutated form of jsff
Code segments included in 1.2. I didn't use printpdf, but it doesn't look like you were having much luck with it either
Attachment #299526 -
Attachment is obsolete: true
Comment 10•17 years ago
|
||
No, indeed, printpdf doesn't really find anything in this case.
Comment 11•17 years ago
|
||
Thanks for including my code. That new version didn't work for me. I had to change this line: activedir = activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,''); into this: activedir = activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,' '); and then it worked nicely.
Comment 12•16 years ago
|
||
This adds zip reading capability. It found a testcase for bug 422118 really quickly (once I fixed a stupid mistake).
Assignee | ||
Comment 13•16 years ago
|
||
I was using Martijn's zip-reading code, but I commented it out and replaced it with code that works for jar and zip. It opens as many files in the top directory as it can fit in a bunch of frames. The code is very slow, but it catches the bug that Martijn filed, and it should catch file-decompressing bugs, which it hasn't yet :) Also added the ability to retest a file that crashes. Just do ff.htm#location_of_testcase. Btw, does anybody have any ideas for more file extensions?
Attachment #300794 -
Attachment is obsolete: true
Attachment #308646 -
Attachment is obsolete: true
Assignee | ||
Comment 14•16 years ago
|
||
(In reply to John Daggett from bug 453225) > Paul, do you just need javascript code to fixup the checksums? If so, I can > probably write that for you, the code is relatively simple as long as the data > provided is unstructured, i.e. just a sequence of bytes: > > function fixupFontChecksums(fontBytes) { > > } > > What exactly is the type of the return value of readContents? An array? > > Do you have a quick example of how your fuzzer works? > > I think fuzzing randomly may catch some errors but fuzzing within particular > font tables will probably provide more interesting results, especially for > tables that contain data which we use a lot, metrics info for example. Everything just uses javascript variables. I read the files like this: var bytes = bstream.readBytes(bstream.available()); then unintelligently fuzz and save it. If you could write the code to fix the font checksums, I would appreciate it.
Assignee | ||
Comment 15•15 years ago
|
||
Here's the file fuzzer rewritten to intelligently fuzz font files. Right now, the font fuzzer only works with windows and requires ttx. If anyone is interested in helping me port this to nonwindows (shouldn't be too hard) please let me know. Thanks to John Daggett for his checksum recalculation code.
Attachment #312849 -
Attachment is obsolete: true
Assignee | ||
Comment 16•15 years ago
|
||
Here's a list of some of the other changes I made since the last version: -Fixed an iteration bug in fuzzContents -Fixed the way files are displayed to make it faster and more reliable -Added ogg support -Started implementing a way to allow bypassing file access security checks (incomplete)
Assignee | ||
Comment 17•15 years ago
|
||
Does the same thing faster, except needs more work for testcase handling. Copied from bug 486221.
Assignee | ||
Comment 18•15 years ago
|
||
Fixed the way that random data block sizes are determined
Attachment #364454 -
Attachment is obsolete: true
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Component: Tracking → Platform Fuzzing Team
Updated•4 years ago
|
Alias: fuzz-JSFF
Comment 19•4 years ago
|
||
No activity for 11 years, closing
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
Summary: JSFF, a javascript file fuzzer → [meta] JSFF, a javascript file fuzzer
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•