Re: [Full-disclosure] Fuzzing Microsoft Office


On 11/07/06, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:
On Tue, 11 Jul 2006 13:52:49 BST, Disco Jonny said:

Out of curiosity, how do you determine conclusively that they're in fact
different crashes, rather than just different symptoms of the same problem?

by using a controlled environment and setting appropriate weights.
But yes, it is not an easy task, but one i am quite close to

and by mapping the file headers/format (yeah this can be done with
input validation too) - this is why i am only working with paragraphs
and bulletpoints / numbered lists at the moment. :) - smaller
applications succumb a lot quicker, maybe you could to the whole app
in one go with them...

There are a few tricks that i dont want to go into here - maybe after
i have got it nailed down then I will.

For instance, a bounds check on string A that trashes memory - can manifest
as almost *anything*, as it depends on what the *next* thing in memory is, and
when/how it gets dereferenced. This is particularly an issue when it's heap
corruption. If the previous sentence had 2 bold strings, then thing B on
the heap gets splatted, causing one crash, but if there's an italic string,
then it's C that gets trashed, causing a different manifestation.

Ah yes, but this is not how i test. I dont just attach a debugger and
off i go. I actually map the process path, vars and how they are
used. every file i launch i know what it should be doing, i then
compare this against a map of what it has already done. (im not sure
if this is making sense - its quite hard to explain without giving it
all away ;) using this method you can also find race conditions, heap
overflows, integer overflows, etc (i have only found a handful of bugs
where the bug ittself causes the eip to be overwritten.) the bugs i
tend to find are much more subtle.

so just to say again, I am not just checking for exceptions. I see
every file run as more information that i can get, and i grab it all.
(the only diff between white box and black box is information.)

the main trouble is not if the next sentience contains "A quick brown
fox" then next time it contains "But the fox was quick" - thats just a
retarded way to test. the issue is when the last program loaded was
firefox, then this word file. - i have no elegant solution for
this... yet... i got some good ideas, but we shall see.

It's still the same bug with A though.

yeah, and it is a lot more obvious a lot earlier on (if you map a
program, rather than just look for exceptions). just cause 2 bugs
have an exception on the same instruction with the same value does not
mean that they are the same.
(one could get its null from DS:EAX + 8 (which == 00000000) then go
into a function with eax as 00000000, where as another might wipe out
EAX with something else, then go into the same function. - two
different bugs, with exactly the same results.

this works in reverse too.

i hope this helps a little... erm, i guess i could try to explain it
better if you want?



Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • When is bare except: justified?
    ... unexpected exceptions, this technique could be seen as hiding a bug ... bugs, and fix them. ... .load() loads new data from a disk file, ... something goes wrong (IOError is probably the wrong class here, ...
  • Re: Thread Pre-Emption Question . . .
    ... Specific bugs: ... handler to catch it and it will be very difficult to construct to fail ... that do not raise exceptions on failure so their return codes must be ... this could allow a reader and writer to access the data concurrently. ...
  • Re: How to get crash dump when a unhandled CException is thrown by a MFC app
    ... Java uses exceptions for both "normal" error ... handling and for reporting programming errors including assertions. ... crash dump, though. ... caused by bugs and "legitimate" exceptions (ones caused not but bugs ...
  • Re: NullPointerException, IllegalArgumentException, or AssertionError for null constructor argument
    ... Contrast to exceptions, that expose such a mismatch in the domain of data correctness or environmental conditions. ... Assertions turn crash bugs into logged, analyzable crash bugs, and they do it before you go into production. ...
  • Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
    ... When you look into the heap and stack overrun the first obstacle to ... translation in order to exploit the bugs (therefore these are PoCs ... If the exploiter managed to execute code on default ... Hosted and sponsored by Secunia - ...