At the beginning please accept my apologize for a long down-time in last month. our shared hosting had some security issues.

let’s dig into the subject…

If you’re subscriber in DailyDave mailling list, may be you remind 13th August that Nicolas Waisman from Immunity posted a challenge. After that, Me and Shahriyar(Snake) started to try out ourselves. we did some part time examination in 2 days and after that some projects stopped us from continuing!

In this small amount of time, I had some observation of this challenge executable in IDA ,  but decided to pass reversing part to snake and I concentrated on fuzzing section to find possible vulnerabilities!

I’m here to write down what i did, may be shahriyar do it too later.

Executable scheme in IDA Pro was a little confusing,  continuous jmp(s) and using TinyXML library made it a little confusing for newbie reverses such as me! Later it got easier when symbol included version released by nico.

Our main guess at first was that if something is overwriting , a loop is responsible for writing each characters of string into a buffer, so we searched for loops! not all loops, because we leave doing this incompletely!

next chance was to take a look for known/unkown TinyXML bugs! found a known bug in TinyXML bugtraq but it doesn’t trigger! so it was’nt useful either.

My next try was fuzzing! searched for available XML fuzzers and found just fuzzer, untidy ! because i thought regular file fuzzers and bit flipper won’t find bug in this situation!

I have written a simple script to make test cases out of default immunity.xml content with untidy !

import untidy
xmlString = """
<document>
    <entries>
 <book name="Immunity 1"/>
 <book name="Immunity 2"/>
    </entries>
</document>
"""

xf = untidy.xmlFuzzer()
xf.setRepetitions( [3,30,60] )
iter = xf.fuzz( xmlString )
counter = 0
for i in iter:
 ff = open('D:\\untidy-beta2\\untidy\\test-cases\\immunity-'+str(counter)+'.xml', 'w+')
 ff.write(i)
 ff.close()
 counter += 1

 

It made ~100000 test cases for me. it’s good to say I did some minor changes in fuzzer such as changing ‘A’ sequence to ‘H’ and ‘B’ for some triggery and anti A sequence reasons! somehow effective in some cases!

Now what I should do was reading each test cases -> saving each of these test cases content as immunity.xml beside immunity.exe -> running immunity.exe under debugger and detect possible faults!

for this process I did this:

import os
for i in range(1, 100000):
 print '=' * 80
 print 'test case number %d' % i                             
 print '-' * 80
 print 'openning source file'
 fopen = open('D:\\untidy-beta2\\untidy\\test-cases\\immunity-'+str(i)+'.xml', 'r')
 print 'opening target file'
 wopen = open('D:\\immunity\\immunity.xml', 'w')
 print 'writing source to target'
 for line in fopen:
  wopen.write(line)
 wopen.close()
 fopen.close()
 print 'executing immuinity.exe under debugger..'
 
 if os.system('crash.exe immunity.exe 500 ""') != 0:
  log = open('D:\\immunity\\error.log', 'a')
  log.write('error detected @ test case number: ' + i )
  log.close()
 print '=' * 80

I could do it with PyDBG or WinappDBG or anything else too, but It’s exactly what I did! Because it wasn’t successful, I googled for .XML documents, and concatenated a bunch of them as a test case and did the whole stages once more! ~210000 test cases and Unfortunately nothing!

It was my last chance to do tests on Immunity contest. A while later I read winner of the contest in another post at DailyDave mailinglist !

Then it made the idea of improving untidy while I was on a vacation! I”ve read the source code. All of untidy is placed in 2 files, fuzzingFunctions.py and untidy.py . almost half of untidy.py LOCs are about making a XML formatted string to a python list. _getFuzzFunctions() is a function that originally placed in fuzzingFunction.py and append name of enumerated fuzzing function ( that should start with ‘ff’ and then a number, uninterrupted by the way) to a list and then return to caller!

So, all that you need to do to improve untidy is to put your function in fuzzingFunction.py and recieve xmlItem and optionally repetitions and mangle or fuzz items and send them back!

It’s very bad that there is not many xml fuzzer out there, certainly there are many of xml fuzzers in non-public area! I did my improvement, added some function and now it’s working better! even added a function to trigger immunity contest way!

I’m not going to release this improvement now(may be later), but  it’s clear how to do it for everyone interested(have fun)!

though it wasn’t a successful case , but I earned some experiences and that was cool for me , thank nico

P. S. :  We at Snoop Security decided to set up an IRC server for Information Security guys to discuss,  we welcome everyone that is interested in!

server: snoop-security.com

port: 6667

channel: #SnoopSec

Links:

[1] Immunity Challenge: http://lists.immunitysec.com/pipermail/dailydave/2009-August/005849.html

[2] Immunity Challege + Symbols: http://lists.immunitysec.com/pipermail/dailydave/2009-August/005864.html

[3] untidy XML fuzzer: http://untidy.sourceforge.net/

[4] Immunity Challenge Result: http://lists.immunitysec.com/pipermail/dailydave/2009-September/005889.html