Target In the AFL in the view of the Apache httpd server's crash logs, I found a lot of problems. For example, some crash testing with example in fuzz testing tools internal collapse, but also affect the test program stability. In this article, I will talk to you to explain the test case to crash, and tell you how I discovered these vulnerabilities. Test cases From Wikipedia the collected test cases Bash-fu Taos Valgrind for triage Valgrind + gdb rr These are just my use of AFL when the software is used in the test case, and I also did not use very complex test cases, coverage is not high. In order to be able to design can cover all the Apache httpd Server common installation scenarios of the test cases, I came up with a very simple method from Wikipedia, the Header list crawling all of the Header of the method. Bash-fu Tao 1 I the first thing to do is the page in the“Request Fields”tab the two tables copied and pasted into a text file, the editor whatever you choose, as long as your editor will not TAB tab characters replaced with spaces on the line, otherwise the cut command will fail. ! I will this text named“wiki-http-headers”, and then run the following command to select the table in the third column of the operation, remember the cut command, the default delimiter is a TAB: the
cat wiki-http-headers | cut-f3 | grep ":" | sed "s#Example....## g" | sort-u We can see, some of the Header has been found, for example, TSVheader it. We can now ignore these disappeared from the Header, and then continued our fuzzy test, because the test cases coverage is not what I need right now considering the issue. In fact, in our test scenario, as long as the selected targeted test cases. Bash-fu Tao 2 Next, we need to enumerate each individual Header, and then through an iterative manner by row to create a test case. There may be some very like to use Bash users already know this step should be how to operate, if you are a newbie then you can use the following commands to complete this step task:
a=0 && IFS=$'\n' && for header in $(cat wiki-http-headers | cut-f3 | grep ":" | sort-u); do echo-e "GET / HTTP/1.0\r\n$header\r\n\r\n" > "testcase$a. req";a=$(($a+1)); done && unset IFS I need to explain, here are a called the internal field delimiter IFS of things, it is an environment variable, which stores the Bash for field division of the token. Bash in the default Internal field separator is the space character, tabs, and Line breaks. When faced with a space character, the delimiter will affect the Header, because we need in Bash to iterate fields in a table, so we need the internal field separator is set to newline. Now, we can iterate the data in the table domain, and then each Header a separate output to different files. Bash-fu Tao video The following is the test case creation process: ! Blur test Now that we have created out a lot of test cases, many of the basic test cases, now we can start to introduce the penetration testing portion of the content. This part of the operation is still relatively simple, roughly divided into the following several step: 1. Download apr, apr-utils, and nghttpd2, the pcre-8 and the Apache httpd 2.4.25; and 2. Install the following dependent components: a) sudo apt install pkg-config b) sudo apt install libssl-dev 3. Fix Apache httpd; and 4. With the right environment variables and installation paths to be compiled; and After installing the above, these dependent components and configure the Apache server, we'll be ready to start the Apache httpd fuzzy test. You can from the following this demo video to see, we only need to test the cases for small improvements it is possible to quickly cause the program to appear to crash: ! Note that in this demo video I have a little cheat a hand, because I have imported the one I'm sure can quickly lead to a program crash test. In the detection process, I used honggfuzz, the radamsa and the AFL to. The program crashes Important thing in the first place. When we get a can lead to program crashes of test cases, we have to determine the test cases of false positives. Test case look at the following demo video: ! Well...it seems like this test case is not very good, what happened? To solve the problem We need to test the following a few factors... First of all, our penetration test is in the persistent mode Persistent Mode under: This also means that our test cases indeed let the program crash, but a valid test case number. In our testing process, the__AFL_LOOP variable value is set to greater than 9000（to be honest, this value is too large. This value is the AFL in to restart the entire process required prior to running the iterative fuzzy test of times. So in the end, the AFL found the test cases will be in the worst environment to be run. For example: the first 8999 times the use of the test cases did not cause the program to crash, and the first 9000 times the input caused the program to crash. The second factor to consider is the AFL report reliability: In General, lead to results of poor reliability may be due to the code using a random value, or the date function, or is the use of uninitialized memory. The third point is assigned to our fuzzy test process of the memory size: In our test environment, since we use the“-m none”parameter, so the available memory is infinite, but in other cases it will be possible to cause a stack overflow or access the Unallocated memory space. In order to test our first hypothesis, we also need more test cases. The demo video below: ! Now we turn our attention to the second hypothesis.