stephenfewer / grinder

Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes.
BSD 3-Clause "New" or "Revised" License
415 stars 131 forks source link

Excessive Read/Write Access Violations #14

Closed silentviper closed 11 years ago

silentviper commented 11 years ago

I have a grinder server running on a ubuntu server box and 2 nodes that are actively running njuda all the time, one in a VM on a Hackintosh and another native Win8 Machine. The VM has generated 1 crash which was a buffer overflow, and the native machine has generated over 1000 read and write access violations with only 12ish hashes. I can't get the test cases to reproduce the AV crashes, so it seems this may be a permissions problem, but i haven't modified any permissions. Are there any permissions i should change/verify?

stephenfewer commented 11 years ago

Do you mean the generated testcase HTML file wont generate the crash or do you mean you cant generate the HTML testcase file at all?

If you can generate a testcase but it wont trigger the bug, this is typically down to the fuzzer not logging correctly. There have been a few other bug reports of logging issues with the njuda fuzzer, perhaps if you ping the author he may be able to shed some light on this.

silentviper commented 11 years ago

Thanks stephen for the response, i will contact njuda's author and ask for help. I guess i was mostly concerned with how many of these AVs I was getting. I'm already up to around 3000, it seems they are almost all created after the fuzzer fails to delete a log.

stephenfewer commented 11 years ago

The log files are failing to be created also? What browser version are you fuzzing? Does the crash happen almost as soon as the browser process is created?

If no log files are being created (hence grinder node failing to delete them), then this is probably a grinder bug and not a njuda bug.

If a grinder node fails to properly hook the target browser it can cause the browser to crash. For example I just updated the hooking for the latest firefox a few days ago to fix an issue like this. Perhaps make sure you have the latest grinder source.

silentviper commented 11 years ago

It will connect and run for a a while and It does create the logs it just seems to fail to delete them. The log file directory has a rather extensive amount of log files I'm fuzzing Chrome 29.0.1547.57 m. I believe i was on the second to last commit but just updated to the latest grinder anyway, i'll check back and let you know if it stops happening (for the moment it seems to be running fine, maybe it was a matter of my node folder becoming corrupted in some way). Thanks for the reply.

Here's an rather typical example of the lead up to a AV.

[+D+] Starting at 2013-08-30 15:29:14 [-D-] Found an instance of chrome.exe already running, killing... [+D+] Starting at 2013-08-30 15:29:14 [+D+] Using the symbol path 'SRV*C:\symbols\*http://msdl.microsoft.com/download/symbols;SRV*C:\symbols\*http://chromium-browser-symsrv.commondatastorage.googleapis.com' [+D+] Running 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' [+D+] Attached debugger to new process 948 [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 948, grinder_logger.dll not injected. [+D+] Logger DLL loaded into process 948 @ 0x71B30000 [+D+] Logging process 948 to log file 'C:\Users\SilentViper\AppData\Local\Temp\Low\logger_948.xml' [+D+] chrome.dll DLL loaded into process 948 at address 0x68100000 [+D+] Resolved chrome.dll!v8::internal::Runtime_StringParseFloat @ 0x688FDD9B [+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x03E30000 [+D+] Attached debugger to new process 4068 [+D+] chrome.dll DLL loaded into process 4068 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 4068, grinder_logger.dll not injected. [+D+] Logger DLL loaded into process 4068 @ 0x71B30000 [+D+] Logging process 4068 to log file 'C:\Users\SilentViper\AppData\Local\Temp\Low\logger_4068.xml' [+D+] chrome.dll DLL loaded into process 4068 at address 0x68100000 [+D+] Resolved chrome.dll!v8::internal::Runtime_StringParseFloat @ 0x688FDD9B [+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x032F0000 [+D+] Attached debugger to new process 2964 [+D+] chrome.dll DLL loaded into process 2964 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 2964, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 2964 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 2964, grinder_logger.dll not injected. [+D+] chrome.dll DLL loaded into process 2964 at address 0x68100000 [-D-] Unable to hook JavaScript parseFloat() in process 2964, grinder_logger.dll not injected. [+D+] Logger DLL loaded into process 2964 @ 0x71B30000 [+D+] Logging process 2964 to log file 'C:\Users\SilentViper\AppData\Local\Temp\Low\logger_2964.xml' [+D+] chrome.dll DLL loaded into process 2964 at address 0x68100000 [+D+] Resolved chrome.dll!v8::internal::Runtime_StringParseFloat @ 0x688FDD9B [+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x037D0000 [!D!] Warning, unable to delete the temporary logging file 'C:\Users\SilentViper\AppData\Local\Temp\Low\logger_2964.xml'. Please manually delete it. [*D*] [*D*] Caught a Write Access Violation in CM process 2964 at 2013-08-30 15:29:24 with a crash hash of REDACTED.WITHHELD [*D*] Posted crash to '192.168.1.4/grinder/status.php' [*D*] [+D+] Finished at 2013-08-30 15:29:54

demi6od commented 11 years ago

I got similar problem. It always worked well for chrome in the pass, but when I update the chrome today with version 29.0.1547.66 m, grinder can't hook the JavaScript parseFloat(). Then when the fuzzer got a crash, it only generated the .crash file without the related .log file. [+G+] Starting at 2013-09-04 16:32:40 [+G+] Using the config file 'config'... [+G+] Bringing up Grinder node 'Chrome'... [+G+] Started the Grinder continue process 656 [+S+] Starting at 2013-09-04 16:32:40 [+S+] Adding fuzzer 'ChromeFuzzer' to the testcase server [+S+] Testcase server running on 127.0.0.1:8001 [+G+] Started the Grinder server process 936 [+G+] Started the Grinder debugger process 2940 [+D+] Starting at 2013-09-04 16:32:42 [-D-] Found an instance of chrome.exe already running, killing... [+G+] Started the Grinder debugger process 3776 [+D+] Starting at 2013-09-04 16:32:43 [+D+] Using the symbol path 'SRV_C:\symbols_http://msdl.microsoft.com/download symbols;SRV_C:\symbols_http://chromium-browser-symsrv.commondatastorage.google pis.com' [+D+] Running 'C:\Program Files\Google\Chrome\Application\chrome.exe' [+D+] Attached debugger to new process 3840 [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to hook JavaScript parseFloat() in process 3840, grinder_logger.dl not injected. [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to hook JavaScript parseFloat() in process 3840, grinder_logger.dl not injected. [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to hook JavaScript parseFloat() in process 3840, grinder_logger.dl not injected. [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to hook JavaScript parseFloat() in process 3840, grinder_logger.dl not injected. [+D+] Logger DLL loaded into process 3840 @ 0x74D00000 [+D+] Logging process 3840 to log file 'C:\Users\nsf\AppData\Local\Temp\Low\log er_3840.xml' [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat [+D+] chrome.dll DLL loaded into process 3840 at address 0x5DE70000 [-D-] Unable to resolved chrome.dll!v8::internal::Runtime_StringParseFloat

demi6od commented 11 years ago

system: windows 7 sp1

stephenfewer commented 11 years ago

Hi, I just tested the following Chrome setup and logging worked as expected.

Browser: Chrome 29.0.1547.66 m OS: Win7 SP1 Ruby: 1.9.3p392 (2013-02-22) [i386-mingw32] Grinder: Latest source from GitHub trunk

The only reason I can think why it might fail for you is if grinder failed to download the chrome.dll PDB symbols. Can you verify you have the latest chrome.pdb in you local symbol store?

demi6od commented 11 years ago

Hi, you got the point. The symbol files failed to auto update with the new chrome version. It works when I delete the old symbol file of chrome.dll and let it auto download the PDB again. Thanks a lot.

silentviper commented 11 years ago

Updating the symbol files didn't fix the repetitive failures to delete logger_WXYZ.xml in my case, it did minimize hooking problems tho i'm still getting a few. I'm still thinking this might be some weird permissions issue but I'm far more versed in *nix based systems so I'm no windows expert. Can i modify some of the ruby files or use hidden args to be more verbose with the errors?