Open purecall opened 4 years ago
antonio-morales
commented
4 years ago Hi @purecall,
have you correctly enabled ASAN and UBSAN? You can check it with nm -an <executable> | grep asan
Please, paste here also your AFL execution command line.
Regards
purecall
commented
4 years ago Hi @antonio-morales, thank you for your help!
The following is my compilation command:
cmake -G "Eclipse CDT4 - Unix Makefiles" -DCHANNEL_URBDRC=ON -DWITH_FFMPEG=ON -DWITH_CUPS=ON -DWITH_PULSE=ON -DWITH_FAAC=ON -DWITH_FAAD2=ON -DWITH_GSM=ON -DWITH_JPEG=ON -DWITH_MBEDTLS=ON -DCMAKE_C_COMPILER=afl-clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address -fno-sanitize-recover=all" DCMAKE_INSTALL_PREFIX=/home/vct/Desktop/fuzzRDP/install -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all" -DCMAKE_BUILD_TYPE=Debug,ASAN,UBSAN -DWITH_SSE2=ON -DMONOLITHIC_BUILD=ON -DBUILD_SHARED_LIBS=OFF .
BTW, I feel DCMAKE_INSTALL_PREFIX does not play a practical role.I use -DCMAKE_C_COMPILER=afl-clang instead of 'afl-clang-fast'
cmake --build . -j 4
I also check ASAN and UBSAN, it looks ok...
➜ FreeRDP_FUZZ-master nm -an ./client/X11/xfreerdp | grep asan 000000000044a880 t _ZN6__asan9FakeStack17AddrIsInFakeStackEm 000000000044a8a0 t _ZNK6__asan20AsanMapUnmapCallback5OnMapEmm
➜ FreeRDP_FUZZ-master nm -an ./client/X11/xfreerdp | grep ubsan 00000000004ec000 t _ZN7ubsan4DiaglsERKNS_14TypeDescriptorE 00000000004ec080 t _ZN7ubsan4DiaglsERKNS_5ValueE
At last, my AFL execution command line is the same as yours... ASAN_OPTIONS=verbosity=3,detect_leaks=0,abort_on_error=1,symbolize=0,debug=true,check_initialization_order=true,detect_stack_use_after_return=true,strict_string_checks=true,detect_invalid_pointer_pairs=2 afl-fuzz -t 1500 -m none -i ./AFL/afl_in/ -o './AFL/afl_out' -x './AFL/dictionaries/Basic.txt' -- ./client/X11/xfreerdp /v:127.0.0.1 /p:whatever /log-level:TRACE /relax-order-checks +glyph-cache +bitmap-cache +menu-anims @@
AFL/afl_in only has one file: TPKT.bin AFL/dictionaries/ only has one file: Basic.txt
I fuzzed for 3 days, but total paths is only 8! and no crash...
I think there may be something wrong
Thank you for your help! Regards
antonio-morales
commented
4 years ago @purecall There is definitely something wrong with the code.
I guess the fuzzing it's getting stuck just at the beginning of the program, and that's why they have only discovered 8 paths.
Please try the following:
Compile the code using clang (without AFL).
Use GDB to debug xfreerdp:
gdb xfreerdpbreak mainrun ./AFL/afl_in/TPKT.binGo step by step until execution ends, and tell me what was the last instruction executed.
Regards
purecall
commented
4 years ago Hi, @antonio-morales!
I compiled the code using clang
functions such as: WaitForSingleObject...GetExitCodeThread...and freerdp_free, I think they are all normal...
and last output is: [11:52:35:582] [4405:4412] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA [11:52:35:582] [4405:4412] [DEBUG][com.freerdp.core.nego] - Attempting NLA security [11:52:35:582] [4405:4412] [ERROR][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex ERRCONNECT_DNS_NAME_NOT_FOUND [0x00020005] [Thread 0x7fffedcda700 (LWP 4412) exited] [Inferior 1 (process 4405) exited with code 0203]
And I have another question...
After your poc.py starts, use the original freerdp program to connect it, or use your Freerdp_FUZZ to connect it?
I guess it is the original freerdp...? And I do so, the program ask me for Enter your credentials, then I input my username and password.Then several poc programs ran partly...finally it seems no crash...
Regards
prettycock
commented
4 years ago 🤘🏼
patacca
commented
3 years ago I think the codebase is missing something because by default xfreerdp doesn't accept a filename as input from command line like you specified.
So calling AFL with afl-fuzz [OPTIONS] -- ./client/X11/xfreerdp [XFREERDP_OPTIONS] @@ won't do anything but showing the help/usage menu
In fact as we can see in function freerdp_client_settings_parse_command_line_arguments in file client/common/cmdline.c there is no code for handling a positional argument. So calling xfreerdp [OPTIONS] filename is not doing anything
Hi, I am a security research enthusiast, thank you for providing me with the fuzzing_aux.h! I successfully compiled your project on github, and start fuzzing. I put your file 'TPKT.bin' in the directory 'afl_in', and put your file 'Basic.txt' in 'dictionaries'. The only change is that I don't have 'afl-fuzz-fast', so I use '-DCMAKE_C_COMPILER=afl-clang'. The fuzzing program ran on a high-performance computer for 2 days, but no crash occurs... I think what details may be overlooked by me... So I want to ask your opinion, thank you!