ref

• https://cve.report/CVE-2023-1312
• https://huntr.dev/bounties/2a64a32d-b1cc-4def-91da-18040d59f356/

배경

• github 내의 Reflected 환경에서의 Cross-site Scripting 취약점 발견
• 해당 취약점은 pimcore v10.5.19 이하 버전에서 발견

분석

• pimcore는 Application Logger 모듈 검색할 때 From 및 To 필드에서 Reflected XSS에 취약
• 테스트
  • https://demo.pimcore.fun/admin/ 접속
  • Tools → Application Logger
  • Search 란에 Payload 아래 Payload 입력

"><img src=x onerror=alert(document.domain);>

패치 방법

• 업데이트
  • v10.5.19 보다 높은 버전으로 업데이트 진행 필요

안녕하세요. crattack입니다.

제가 가볍게 취약점 분석을 하려고 준비하고 있는 것 중에 하나를 공유하려고 합니다.

1. 목적

많은 CVE가 나오고 있습니다. 그 중에 어떤 것들을 봐야할지 어떤 것들이 중요한지를 분류하기란 쉽지 않습니다.

따라서, 저는 앞으로 T(Today)-1 기준으로 다음의 분류 항목에 맞게 CVE와 CVE URL을 제공하려고 합니다.

관심 있는 분들은 이 곳에서 참고하시어 연구하시는데 도움이 되셨으면 합니다.

2. 공유 양식

[Date] [분류 (Remote Attack, SQL Injection, XSS, Command Injection, Github, Docker, 등등)] [CVE No.] [CVE URL]

추가적인 정보를 원하시면 의견을 주세요.

3. 마치며

앞으로 더 좋은 것들을 공유 하도록 노력 하겠습니다.

감사합니다.

추천 환경

• All steps have been tested on 64-bit Ubuntu 16.04.

p2im - gitclone

git clone [<https://github.com/RiS3-Lab/p2im.git>](<https://github.com/RiS3-Lab/p2im.git>)
git submodule update --init
git submodule update --remote

GNU Arm Embedded Toolcahin

• x86 → ARM 환경에서 실행되는 바이너리

wget <https://developer.arm.com/-/media/Files/downloads/gnu-rm/10.3-2021.10/gcc-arm-none-eabi-10.3-2021.10-x86_64-linux.tar.bz2?rev=78196d3461ba4c9089a67b5f33edf82a&hash=D484B37FF37D6FC3597EBE2877FB666A41D5253B>
tar xjf *.tar.bz2
PATH=$PATH:/home/parallels/tmp/gcc-arm-none-eabi-10.3-2021.10/bin
echo $PATH

AFL

babyhack@ubuntu:~/tmp/p2im/afl$ make
[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-gcc.c -o afl-gcc -ldl
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $i; done
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-fuzz.c -o afl-fuzz -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-showmap.c -o afl-showmap -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-tmin.c -o afl-tmin -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-gotcpu.c -o afl-gotcpu -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-analyze.c -o afl-analyze -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-as.c -o afl-as -ldl
ln -sf afl-as as
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" test-instr.c -o test-instr -ldl
echo 0 | ./afl-showmap -m none -q -o .test-instr0 -- ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 -- ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! Be sure to review README - it\\'s pretty short and useful.

babyhack@ubuntu:~/tmp/p2im$ make -C afl/
make: Entering directory '/home/babyhack/tmp/p2im/afl'
[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" test-instr.c -o test-instr -ldl
echo 0 | ./afl-showmap -m none -q -o .test-instr0 -- ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 -- ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! Be sure to review README - it's pretty short and useful.
NOTE: If you can read this, your terminal probably uses white background.
This will make the UI hard to read. See docs/status_screen.txt for advice.
make: Leaving directory '/home/babyhack/tmp/p2im/afl'

Docker Install

sudo apt install docker.io
sudo usermod -aG docker $USER
cd ~tmp/p2im/qemu
WORK_FOLDER_PATH=`pwd`/src ./build_scripts/build-qemu.sh --deb64 --no-strip
babyhack@ubuntu:~/tmp/p2im/qemu$ WORK_FOLDER_PATH=`pwd`/src ./build_scripts/build-qemu.sh --deb64 --no-strip

Using "/home/babyhack/tmp/p2im/qemu/src" as Work folder...
Helper script: "/home/babyhack/tmp/p2im/qemu/src/scripts/build-helper.sh".
Script "./build_scripts/build-qemu.sh" started at Wed Jan 18 06:45:50 PST 2023.

Running on Ubuntu 64-bits.

Checking host curl...
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3

Checking host git...
git version 2.7.4

Checking Docker...
Docker version 18.09.7, build 2d0083d

Checking host automake...

Firmware preparation

• p2im-real_firmware

git clone <https://github.com/RiS3-Lab/p2im-real_firmware.git>

seed 파일 복사

WORKING_DIR=~/tmp/p2im/fuzzing/Drone/5/
mkdir -p ${WORKING_DIR}
cd ${WORKING_DIR}
cp -r ~/tmp/p2im/fuzzing/templates/seeds/ ${WORKING_DIR}/inputs

config 수정

#  P2IM - fuzzing configuration template
#  ------------------------------------------------------

#  Copyright (C) 2018-2020 RiS3 Lab

#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at:

#    <http://www.apache.org/licenses/LICENSE-2.0>

# Please change configurations that are enclosed in "< >".
# Please use absolute path in this file.

[DEFAULT] # used only by fuzz.py
#  is the path of root directory of P2IM git repo
base        = /home/babyhack/tmp/p2im  ## 수정해야함. fuzzer 프로그램 경로
#  can be arbitrary string you want. It doesn't need to be the firmware binary name
program     = Drone ### 타켓 프로그램명 및 디렉토리 이름
# Each firmware may be fuzzed multiple times. So it's better to number each fuzzer run
run         = 5
# working directory of fuzzing
working_dir = %(base)s/fuzzing/%(program)s/%(run)s

[afl] # used only by fuzz.py
bin         = %(base)s/afl/afl-fuzz
timeout     = 150+
input       = %(working_dir)s/inputs
output      = %(working_dir)s/outputs

[cov] # used only by cov.py
#count_hang  = False
count_hang  = True
bbl_cov_read_sz = 20000000
# 1 second
timeout     = 1

[qemu]
bin         = %(base)s/qemu/precompiled_bin/qemu-system-gnuarmeclipse
log         = unimp,guest_errors,int
#log         = unimp,guest_errors,exec,int -D qemu.log

[program]
# the board/mcu supported by QEMU is listed as comments below
#board       = 
#mcu         = 

#board       = STM32F429I-Discovery
#mcu         = STM32F429ZI
board       = NUCLEO-F103RB   # 타켓 board와 mcu 선택 (주석 제거)
mcu         = STM32F103RB     #
#board       = Arduino-Due
#mcu         = SAM3X8E
#board       = FRDM-K64F
#mcu         = MK64FN1M0VLL12

#  has to be name of firmware elf file
img         = %(working_dir)s/Drone      # 이미지 경로 대소문자 구분하니 조심

[model]
retry_num   = 3
peri_addr_range = 512
# arm-none-eabi-objdump is part of GNU Arm Embedded Toolchain you downloaded while setting up P2IM environment.
# For example,  on my machine is /home/bo/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump

### objdump 경로 풀 경로 입력 해야함.
objdump     = /home/babyhack/tmp/gcc-arm-none-eabi-10.3-2021.10/bin/arm-none-eabi-objdump
# config below are only used by fuzz.py
bin         = %(base)s/model_instantiation/me.py
log_file    = %(working_dir)s/me.log

fuzzing 환경 설정 폴더

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cp /home/babyhack/tmp/p2im/externals/p2im-real_firmware/Drone ./
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
Drone  fuzz.cfg  inputs

Fuzzer 실행

#python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg
Change working dir to: /home/babyhack/tmp/p2im/fuzzing/Drone/5
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5

try our best to extract model w/o input
cmd_me0: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg --run-num 0 --print-to-file

Change working dir to: 0/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0
Redirect stdout to file named stdout

테스트 환경

0.random.8
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.7/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg

There is aup, run ME
cmd_me: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfge --run-from-forkserver --afl-file /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs/random --model-if /home/babdom.7/peripheral_model.json
Change working dir to: 0.random.8/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.8
Redirect stdout to file named stdout
Traceback (most recent call last):
  File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 1166, in <module>
    srr_info = stage1_5()
  File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 490, in stage1_5
    objdump = subprocess.check_output([cfg.objdump, "-dC", cfg.img])
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 693, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib/python3.5/subprocess.py", line 947, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.5/subprocess.py", line 1551, in _execute_child
    raise child_exception_type(errno_num, err_msg)
OSError: [Errno 8] Exec format error

0.random.9
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.8/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg
.............................
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarme

(process:17789): GLib-WARNING **: /Host/Work/qemu/glib-2.51.0/glib/gmem.c:483: custom memory allocation vtabl
[0, 0]   1-th(total   1-th)     unassigned mem_r *0x0
[0, 0]   2-th(total   2-th)     unassigned mem_r *0x4
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) QEMU 2.3.50 monitor - type 'help' for more information
(qemu) [8004f10, 8004f4e]   1-th(total   3-th)  pm_r *0x40021000 gets 0x0, remains CR+SR
[8004f10, 8004f4e]   1-th(total   1-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   2-th(total   4-th)         pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e]   2-th(total   2-th)         pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e]   3-th(total   5-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e]   3-th(total   3-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   4-th(total   6-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e]   4-th(total   4-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   5-th(total   7-th)         pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e]   5-th(total   5-th)         pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e]   6-th(total   6-th)         pm_w *0x40021008 = 0x9f0000, remains DR
start up afl forkserver!
[8001128, 800113a]   6-th(total   8-th)         pm_r *0x40022000 gets 0x0, remains CR
[8001128, 800113a]   7-th(total   7-th)         pm_w *0x40022000 = 0x10, remains CR
[8004ccc, 8004ce8]   7-th(total   9-th)         pm_r *0x40021018 gets 0x0, remains CR
[8004ccc, 8004ce8]   8-th(total   8-th)         pm_w *0x40021018 = 0x1, remains CR
[8004ccc, 8004ce8]   8-th(total  10-th)         pm_r *0x40021018 gets 0x1, remains CR
[8001cba, 8001cc4]   9-th(total  11-th)         pm_r *0x40021004 gets 0x0, remains CR
[8001cd4, 8001cf0]  10-th(total  12-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10]  11-th(total  13-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10]   9-th(total   9-th)         pm_w *0x40021000 = 0x81, remains CR+SR
...........................

환경이 맞으면, AFL Fuzzing 시작

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
0  0.random.1  0.random.2  0.random.3  Drone  fuzz.cfg  inputs  me.log  outputs  run_fw.py
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cd outputs/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls
crashes  fuzz_bitmap  fuzzer_stats  hangs  plot_data  queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls -sla
total 2116
   4 drwx------ 5 babyhack babyhack    4096 Jan 24 06:58 .
   4 drwxrwxr-x 8 babyhack babyhack    4096 Jan 24 06:51 ..
   4 drwx------ 2 babyhack babyhack    4096 Jan 24 06:52 crashes
   4 -rw------- 1 babyhack babyhack     164 Jan 24 06:58 .cur_input
2048 -rw------- 1 babyhack babyhack 2097152 Jan 24 06:57 fuzz_bitmap
   4 -rw------- 1 babyhack babyhack    1093 Jan 24 06:57 fuzzer_stats
   4 drwx------ 2 babyhack babyhack    4096 Jan 24 06:54 hangs
   8 -rw------- 1 babyhack babyhack    4454 Jan 24 06:58 plot_data
  36 drwx------ 3 babyhack babyhack   36864 Jan 24 06:58 queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ cd crashes/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls
id:000000,ret_v:0x1,src:000000,op:havoc,rep:8  README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls -sla
total 16
4 drwx------ 2 babyhack babyhack 4096 Jan 24 06:52 .
4 drwx------ 5 babyhack babyhack 4096 Jan 24 06:58 ..
4 -rw------- 1 babyhack babyhack  148 Jan 24 06:52 id:000000,ret_v:0x1,src:000000,op:havoc,rep:8
4 -rw------- 1 babyhack babyhack 1106 Jan 24 06:52 README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ cat README.txt
Command line used to find this crash:

/home/babyhack/tmp/p2im/afl/afl-fuzz -i /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs -o /home/babyhack/tmp/p2im/fuzzing/Drone/5/outputs -t 150+ -QQ -a /home/babyhack/tmp/p2im/model_instantiation/me.py -b /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.3/peripheral_model.json -T Drone_5 -d /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stage 3 -aflFile @@

If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
memory limit. The limit used for this fuzzing session was 2.00 GB.

Need a tool to minimize test cases before investigating the crashes or sending
them to a vendor? Check out the afl-tmin that comes with the fuzzer!

Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
add your finds to the gallery at:

  <http://lcamtuf.coredump.cx/afl/>

Thanks :-)
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$
</lcamtuf@coredump.cx>

설치 방법

$ sudo apt update
$ sudo apt install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cmake
$ sudo apt install -y lld-11 llvm-11 llvm-11-dev clang-11
$ sudo apt install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
$ cd $HOME
$ git clone [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) && cd AFLplusplus
$ export LLVM_CONFIG="llvm-config-11"
$ make distrib
$ sudo make install

AFL++ 구동테스트

•  구버전을 활용하여 테스트 진행 (3.02 CVE-2019-13288 테스트)

어플 설치

$ cd $HOME $ mkdir fuzzing_xpdf && cd fuzzing_xpdf/ 
$ wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz 
$ tar -zxvf xpdf-3.02.tar.gz $ cd xpdf-3.02/

컴파일 (llvm 11, afl-clang-ito 옵션 적용)

$ export AFL_USE_ASAN=1 
$ export LLVM_CONFIG="llvm-config-11" 
$ CC=$HOME/AFLplusplus/afl-clang-lto CXX=$HOME/AFLplusplus/afl-clang-lto++ ./configure --prefix="$HOME/fuzzing_xpdf/install/"
$ make 
$ make install

# [ASAN option]
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix="/home/babyhack/ASASN_xpdf/install/"

cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_C_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_EXE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" DCMAKE_INSTALL_PREFIX=~root/fuzz_xpdf-4.03/install/ -DCMAKE_MODULE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" -DCMAKE_BUILD_TYPE=Debug,ASAN,UBSAN -DWITH_SSE2=ON -DMONOLITHIC_BUILD=ON -DBUILD_SHARED_LIBS=OFF .

샘플 파일

$ cd $HOME/fuzzing_xpdf $ mkdir pdf_examples && cd pdf_examples 
$ wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf 
$ wget http://www.africau.edu/images/default/sample.pdf 
$ wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf

구동 테스트

$HOME/fuzzing_xpdf/install/bin/pdfinfo -box -meta $HOME/fuzzing_xpdf/pdf_examples/helloworld.pdf

퍼징 테스트

• root 권한이 필요함.

[-] PROGRAM ABORT : Suboptimal CPU scaling governor Location : check_cpu_governor(), src/afl-fuzz-init.c:2310

• 실행 명령어

root@raspberrypi$ afl-fuzz -i ~babyhack/fuzzing_xpdf/pdf_examples/ -o ~babyhack/fuzzing_xpdf/out/ -s 123 -- ~babyhack/fuzzing_xpdf/install/bin/pdftotext @@ ~babyhack/fuzzing_xpdf/output

• 옵션 설명
  • -i : 입력값 테스트 케이스들이 모여있는 디렉터리 경로이다.
  • -o : AFL++가 변이하여 생성할 파일들이 저장될 경로이다.
  • -s : static random seed 를 설정한 것이다. 이렇게 한 이유는 단지 이 예제 결과를 항상 동일하게 보여주기 위한 것일뿐(교육자료 목적) 이 옵션을 빼고 완전히 랜덤으로 진행해도 된다.
  • @@ 로 표기한 부분에 커맨드라인상으로 AFL이 생성한 파일의 이름이 매핑된다.

crash 폴더

$ cd /home/cpuu/fuzzing_xpdf/out/default/crashes 
$ ls -l 
total 8 
-rw------- 1 cpuu cpuu 689 Jan 26 11:31 README.txt 
-rw------- 1 cpuu cpuu 3941 Jan 26 11:31 id:000000,sig:11,src:000963,time:73213,execs:69034,op:havoc,rep:8

crash 분석 방법

• dact를 활용한 분류 (feat. ASAN)

$ export AFL_USE_ASAN=1 
$ CC=[afl folder]/afl-clang-fast CXX=[afl folder]/afl-clang-fast++ CFLAGS="-fsanitize=address -g " CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
$ make

• ASAN 적용 결과

# [ASAN 적용]
$ ~babyhack/fuzzing_xpdf/ASASN_xpdf/install/bin/pdftotext /home/babyhack/fuzzing_xpdf/out/xpdf/crashes/id:000000,sig:11,src:000000+000126,time:723512,execs:41054,op:splice,rep:16
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (1499): Illegal character <47> in hex string
Error (1500): Illegal character <6f> in hex string
Error (1501): Illegal character <54> in hex string
Error (1502): Illegal character <6f> in hex string
Error (1503): Illegal character <52> in hex string
Error: Missing 'endstream'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4021875==ERROR: AddressSanitizer: stack-overflow on address 0x007fc42ccfd0 (pc 0x0000004b1f34 bp 0x007fb7114000 sp 0x007fc42ccfb0 T0)
AddressSanitizer:DEADLYSIGNAL

ref. 

https://cpuu.postype.com/post/11671863

참고

- http://blog.naver.com/funny303/220778035079

- http://pypie.tistory.com/entry/Blind-SQL-Injection

- http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html

1. SQL Injection 테스트

2. Blind Injection

2.1. Database 갯수 확인

2.2. 테이블 명 추출

2.3. Column명 추출

2.4. value 찾기

이상으로 마칩니다.

thanks : silverbug (enviroment support)

지금 카드 정보 유출이 카드사 만의 문제일까요?

여러 분들의 정보가 카드사에서만 유출되고 있을까요?

엄청난 많은 정보들이 지금 인터넷에 떠돌고 있으며, 굳이 카드사가 아니더라도

손 쉽게 얻을 수 있습니다.

@.@

금일 키사에 신고는 해놓았는데 어떻게 처리되는지 봐야겠네요.