Finding The .webp Vulnerability in 8s (Fuzzing with AFL++)
Vložit
- čas přidán 30. 07. 2024
- A guide on how to do fuzzing with AFL++ in an attempt to rediscover the libwebp vulnerability CVE-2023-4863 that was used to hack iPhones.
Want to learn hacking? Signup to hextree.io (ad)
Buy my shitty font: shop.liveoverflow.com/ (ad)
Watch webp Part 1: • A Vulnerability to Hac...
Sudo Vulnerability Series: • Sudo Vulnerability Wal...
Docker Video: • How Docker Works - Int...
OSS-Fuzz: github.com/google/oss-fuzz
OSS-Fuzz libwebp coverage: storage.googleapis.com/oss-fu...
AFLplusplus: github.com/AFLplusplus/AFLplu...
vanhauser's blog: www.srlabs.de/blog-post/advan...
vanhauser/thc on twitter: / hackerschoice
AFLpluslus Persistent Mode: github.com/AFLplusplus/AFLplu...
Grab the code: github.com/LiveOverflow/webp-...
=[ ❤️ Support ]=
Find out how you can support LiveOverflow: liveoverflow.com/support/
=[ 🐕 Social ]=
→ 2nd Channel: / liveunderflow
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Chapters:
00:00 - Intro
00:36 - How to Learn About Fuzzing?
02:36 - Setting Up Fuzzing With AFL++
04:53 - My Docker Workflow for Fuzzing
06:35 - AFL++ Different Coverage Strategies
09:50 - Start the libwebp Fuzzing Campaign
11:58 - Adjusting the Fuzzer
13:45 - Why Don't We Find a Crash?
15:49 - Fuzzing with AFL++ Persistent Mode
19:47 - Persistent Mode Fuzzing Results
20:46 - Finding the Vulnerability in 8s
Kind of a side note, but I really hate how many relatively important discussions happen on Discord these days instead of forums... They aren't indexed/searcchable by search engines or archived by archive services, so they're just gone forever.
fully agree :(
Yeah, you raised an important point. But how do we correct such trend ? I mean how do we keep discussions in forums instead of discord servers?
Really, great things are being discussed over there in different discord servers but end up being only for the members participating in the servers
@@huzaifamuhammad8044 I don't know if there's any way to fix it. It's kinda like IRC was back in the day. People want limited, non-public communities.... Also, several companies moved their support forums to Discord which is even worse... Then every time you're looking for a solution to a technical problem, you can't find it and have to join some discord, then ask a question which has probably been asked/answered a bunch of times already.
Maybe Discord should be pressured to index/archive conversations and make them searchable? Maybe as an option for server owners? I don't know
Discord bot reposting every message from channel to forum?
@@SandWire Not a bad idea for individual servers/channels. I remember I wrote a little bot to do essentially the same thing on IRC back in the day. That was back in like... 1998-1999 maybe, and those conversations are still online!
This was a good overview, but the second approach shows why it's always super important to make the small changes needed in example programs to use afl-clang-fast. You could have done a months worth of your current approach in a day with the speedup. It's going to be very difficult to ever find something at 100 execs/sec.
The second approach was fuzzing one function directly, the first one was fuzzing the full binary. So you cannot really compare the two, very different scopes :)
@@LiveOverflow I understand that, but your response indicates that you are missing the relevant point. You can do the same thing as in the second one by modifying dwebp. I guarantee similar speed. The scope of dwebp isn't much more than a few function calls. It was fast due to persistent mode, not because it was smaller.
Hey just wanted to say you were a huge part in my early IT career that kept me intrigued and wanting to keep pushing my understanding to the limit. You are awesome. Still wish you would have done some in depth C courses at some point but I know they are everywhere
Dein Content und dein Kanal sind genial! Wie immer absolut krasses Video!
love to see that you are still wearing the ccc entrance band 😄 was nice meeting you there!
thank you for your crystal clear explanation
excellent video and well explained as always🙏👏👏👏
I love your fuzzing videos!
Very good video.
When you try to subscribe to the hextree updates and do not mark the "I accept and read the privacy policy" there is no feedback for not checking the checkbox. Only in the developer tools I was able to see my mistake.
love you man
This was great!
Only i know how much i have waited for this video to be released
A Crowdstrike desaster deep dive would be a nice comeback video. Just saying 😜
Rocks as always
Curious how oss fuzz is doing stuff at their scale and budget. Finding target functions for individual fuzzing like the Huffman table function, while at the same time having input that maps cleanly back into the source input file
I WANT A POC OF .webp Image to run “whoami” !!! 😂😂
a really good video, i am also making content with ctf broo. Thank you for your knowledge
Cool stuff
Nice video
amazing. deep respect from South korea, man
You mean China?
Where is Mr Live Of?
Has a letter agency taken him out as he was just about to reveal their under cover operation?
I wish you did more minecraft stuff. that was fun and kinda why i subbed to you xD ... i mean either way your videos are great !
What happens if you use qsym/hybrid fuzzing techniques? I read the paper (well, most part) about it and it claims *speed*
Bruh, are you alive? Waiting for your video on something for about a month now.
great video. still wearing your congress wristband i see :)
Is this what they call unit fuzzing?
It's always nice to see a pocke level that's more conventional, because they do them so well, as much as their experimental stuff is impressive, I was never a massive fan of it.
so would you say that the PoC file that cause the crash actually is a valid format ? no malformed sizes no malformed data but the processing of the data tables will cause a representation that will cause later a corruption in the decoder of libweb ?
epic
at minute 21:04 there is a mistake in the graphics. it should be 520>500 and not 520>410, which was the input value from before
i wonder if this could full reproduce with AFLgo ? as AFLgo can take 2 diff of checkouts and direct fuzz ... i wonder if this would have reproduce this complex bug .. i know its "defacto" and not actually finding the issue... still interesting ..
Can you share the discord server that you found about AFL fuzzing?
At 21:04 there probably should be 500 instead of 410.
But thanks for the great video.
I had been watching your content for almost 10 years now. I really love it, but I have to be honest every time I watch any of your videos I feel really dumb because unlike most youtuber your craft is just way too high level. I really like what you can do with this tool and is something I would like to learn how to use since im the cybersecurity field. would you mind dumb things down a lit?Like making a tutorial on this tool, like how to properly set it up, then picking a random program to test it on?
Hans, where are you? We miss you. Come back.
Please Help!!!!
Are new Mac's with new M series apple chips good for binary exploitation, android and windows pentesting? Because i heard that you have to a wrok arounds to run like kali linux, also some essential tools not designed to work on these new architecture M chips.
it's good if you want to do mac (arm) exploitation. obviously not so great when you want to learn linux (x86) exploitation. in this case I also did the fuzzing setup on mac, but the actual fuzzing I did on a linux x86 server.
@@LiveOverflow Can you share more insights on this? It seems you had used docker container on your Mac M1 machine or did you use a cloud linux server and launched your container there?
I think there are not many good resources for aspiring vulnerability researchers out there on what is a good setup for binary research for Linux binaries if your base is Macbook M chips.
Also, another question - do you think using a cloud service like AWS with a high performance EC2 Instance would speed up the fuzzing process given that it has more cores / RAM available than running on your local linux computer?
Push!
How does AFL++ compare to libfuzzer from the llvm project? Could be a nice video.
Vanhauser-thc is the author of hydra tool?
Yes the one and only
He the author of AFL++ too, basically
That's interesting. I guess you'd have to read the webp spec to see how the image data translates into building those tables, then go from there. It might require so many combinations of data that doing it naively would end up as a hard as finding a hash collision or brute force decrypting.
On another note, and it's a long shot, does anyone know a utility that can load a thread binary image so that it can be 'debugged'. It's something I do not want to run freely, and it is obfuscated so needs to run only as far as the obfuscation is removed, then dumped, and then terminated. I was thinking the bare minimum that loads the thread but throws an error before it runs for a debugger to catch. That way it would never run without the debugger ready to catch it. Extremely simple, but I cannot program 'C, C++, C#, and etc,' and can only do a small amount of Python so far. The thread needs whatever windows has ready for it on the stack in normal operation (0x18 bytes worth it looks like from the disassembly) - there is no input from the original hosting program.
funny to see you’re using your minecraft server to also do these. stuff lol
Noice
unaliveoverflow
In the end, fuzzing is supporting tool, but cannot test things for developers "magically".
So at this point, there needs to have some knowledge and experience on how (and what) to fuzz, just like pentesting
Hope to one day reach this level
Me too
@@adhikara13why are you everywhere?
Question for the greater cyber sec community. How applicable is binary fuzzing to your work? This is something that I really want to get into but seems like it is far from applicable in my work so far.
I do security audits of mostly web application. Once in a while you get clients with cgi .c or other embedded tools and server stuff. So it's not common. But I want to be able to also do good work in those cases ;)
There is plenty of way to fuzz binary target. You can statically instrument them, or fuzz them without instrumentation with tool such as Radamsa
I had situations where memory corruption cause a major problem which we supposed should not happen.
After investigating with tombstone logs and fuzzying we found that there was a race conditions caused by a defective driver
guess I missed you at the CCC
afl++ is way harder than we think 😑😓
tmux would have been a better option than screen.
Overflow?
next video whennnnnn!!!!!!!!!!!!!!!
He quit
@@20cmusic Did he say that explicitly?
1:45AM HUFO here: Fuzzing is dumb, the moral should not be duplicate your code to make it more secure and the way they found the vuln was reading the code and understanding an attacker's input can go to the function where an assumption on it would be incorrect.
You Can Be Turkey Pro.
Here's a challenge - Create a distributed fuzzing client.
One person fuzzing for 100 days? Naa.
100 people fuzzing for 1 day? Way easier.
10,000 people fuzzing for awhile? Should find SOMETHING :p
My theory of how they found it: formal methods.
like what ? share more details ?
@@shaisarfaty Formalise the logic of the program interactive theorem provers like Isabelle or Coq.
@22:50 are you quite sane? Avoiding code duplication improves readability and maintainability. Why would you copy the same code into 5 different functions, just to make fuzzing easier?
You don’t have to copy the complete logic. Just create a wrapper function for each color's huffman table.
after doing deep investigation on the code and what you have fuzzed , your choice of fuzzing that API is useless . this doesn't have any understanding between your crash and to the original data that is from the file , the data transformation is what you have fuzzed and to get the needed data to put in a file require to find what is the de-transformation that is needed in order to put it back into a file.
I heard this guy got thrown in jail for saying something against the rules in Germany
cute
It's cool to live in the world where one can watch 25 minutes video in 0 seconds
Nah thon just got struck by a bolt of lightning and thus was able to take in 25min worth of info in 0.001mins@@ERazzor
Please make a video PUBG lite 0.27.0 32bit vtable hooking please
I'm two and a half minutes in and I still don't know what fuzzing is
its just a process of doing random stuff on the application to see ash or do some weird things it was not intended to with aim of analysing what causes the crash so tha you can weaponize that and attack the applications that is how i understand it hopefully it helps
Think of it as just brute forcing unexpected inputs and detecting unexpected behavior.
Thats why he referred to another video explaining the basics.
nowadays with chatgpt youtube bloggers becoming useles kek
Please make a video PUBG lite 0.27.0 32bit vtable hooking please