[fuzzing] OWASP Fuzzing page

Disco Jonny discojonny at gmail.com
Tue Dec 12 10:51:03 CST 2006 

whoop! someone that is angry like me :) there are no personal insults
in this mail, sorry in advance if you read any into it.

okay, ill bite, and i know you meant no offence(you said so), but your
post(this one) got my back up, sorry for the tone, i just want to type
angry. (gadi doesnt let me normally)

once you trawl through all the shit, there is a bug (at the end), skip
to that if you want.

> But semantics is all you use to argue about it.

I dont understand this.  When I said semantics, I was talking about
not relying on what the dictionary calls it, but what the common
accepted term is [in my industry - testing]. if you call an america
red apple an apple and i call an english cox apple an apple i do not
want to argue about which is actually the apple, thats what i meant.
Talking about semantics is fine - i am just not going to argue about
it.

like fuzzing.  if you look back to my earlier mails i spent a long
bloody time talking about that for no benefit.

I can use completely made up words and provide a glossary if you like?
 i was trying to show what the testing world calls them.

> I haven't seen a
> single technical point in your discussion about this. FOO software
> uses XYZ protocol. FOO is closed source. You are going to test XYZ
> anyway. This might not apply to applications that implement "closed"
> protocols or formats, but looking out there you'll find specifications
> and third-party reports on almost every binary format out there.

yes, i know this.  I use this method.  but this method is not the
ends, its a means.  thats the point I am trying to make. although my
eyes have been opened.

> >
> > what happens if you dont have a RFC? you are not trying to check that
> > a program conforms to a certain criteria, you are checking to make
> > sure that there are no programming mistakes.
>
> Please read what I wrote:
> "be it a RFC or whatever document that details the intrinsic of how
> data is stored and structured."

you have one of these for the .art file type (aol compression - i had
to get mine from the patent. not all products are patented)  I dont
work on open source stuff... (except a game or  two

Also not all applications have this supporting documentation.

>
> Again, it seems you're mixing a load of terms and not really showing
> any fact that even barely supports what you pretend to say (I'm not
> even sure about that,

okay then, what words am I allowed to use?

>What's your goal with all these 'discussions'about fuzzing?

this specific one or all my emails in general?

I want to learn, and make my job easier. find like minded people.
advance my knowledge. and maybe one day peer review of my stuff.

what about you? what were you hoping to gain from this?

>
> When you don't have a design document to work with, you have to either
> reverse engineer the parser, or work with the data set. Grab different
> datasets, compare streams, see what changes, see what doesn't change,
> etc.

i thought that too, then someone showed me an alternative. (i dont use
the alternative (well planted the seed), i do the above - but i know
how it is not complete, and how i am not doing 'everything')

> If you've got some magic there that makes 'wizard fuzzing' over
> unknown protocols, lemme know.

why?  can you not think and work it out for yourself? or do you
blindly believe in yourself that much that you already know there is
nothing more to be said? i respect what others have said about you,
and the very little i have seen that you have done, but stop being so
bloody elitist and listen to someone else.

my stuff is mainly fileformat centric (although it applies to
protocols and stuff) I have not had time or the inclination to look at
protocols yet.  but I will do for your example. (i do file format
stuff for my daily job.)

> For instance, without even bothering
> checking the protocol, without reverse engineering anything,

thats retarded. I was saying I will not know the SCC Safeword format,
not that I do not know TCP (if thats how it communicates), etc.

> get SCC
> SafeWord and 'fuzz' it. Lemme know if you find anything that way. And
> then try the other way around.

http://www.net-ctrl.co.uk/products/safeword/premieraccess.php?gclid=COe1p_yfjYkCFTAnMAodCDDg5w
that? if i can get the software installed, sure no problem.

>
> > I think you are misinterpreting the definition of implementation v
> > spec. the spec tells you what to program, the implementation is how it
> > has been coded.
>
> Again, please read what I wrote:
> "The handling of a specific protocol is implemented upon the
> information available from a specification, be it a RFC or whatever
> document that details the intrinsic of how data is stored and
> structured."

right, but it is the different sodding ways of doing the same thing
that is what fuzzing should test. programmer usage that is what cause
issues.  if there was only one way to program there would not be these
problems! we need to test _what_ has been implemented - this does not
always come from the spec.

>
> No offense meant, really, I just have the feeling that this is yet
> another term/wording/non-technical discussion, she-said-he-said style.

I am trying my hardest for it not to be that.

no offence taken, but I quite enjoy the slightly aggressive emails. -
hope you dont mind?

what should i be saying then?  I am the only person I know doing what
I do.  and I should give that away why?
I am more than happy to talk about things, but before you can get
technical you need to get on the same level.  but bugger it. lets jsut
go then.

I am pretty thick skinned. :) - and i am enjoying this.

>
>
> > RFC tells the programmer what lines of code to write?? no, it tells
> > them what it should do, not how to do it.
>
> http://en.wikipedia.org/wiki/Program_specification

please see my previous email.

>
> You're contradicting what you've said earlier in your reply, again.

how? give the example, quote the two statements next to each other.
and then do it for another example (because of the again.)

> Besides that this doesn't make sense (Where does that 'error handling'
> cameo come from?

it is what I have always referred to as the code that handles errors -
as apposed to the code that handles UNDEFINED.

> Specifications explain how data should be handled and
> how to implement it properly... if that covers unexpected conditions,
> then it's less prone to unhandled problems).

It does not say use an if statement rather than a while statement.  it
does not say dont use the same variable that you used before.it does
not say make sure you have enough space on the stack to store the
variable, etc. it is these subtle nuances that need to be tested - and
fuzzing is the best method for this.

> At this point, I'm not
> sure on what you're talking about.

its getting pretty much irrelevant, see the end of this for an example
of a weight and marker, in a word doc.  get that from the spec? i have
no idea what those functions are, but i know the code would react in
that way.

> It wasn't just innovative but extremely successful.
> You've mentioned 1999. Well, ever heard of the 'snmp  fuck-up'?

nope. i guess that is points against me.

> Don't be that defensive, no one is trying to fool you here. Check out
> the papers there, those are a really interesting read.

? i am not being defensive i am trying to get a point across so we can
all be on the same level - otherwise how on earth are you going to
understand what I say?

>
> Heh, I'm surprised you haven't included the word 'synergy' there already 8-).

alright, how else would you explain that? do you even understand what
I was trying to say? im not selling anything, im not giving anything
away, im not trying to be smarter than the next person. you do
better.....


> I'm not a hardcore kernel guy anyway, but some of my code has been
> included in certain parts of Linux so far.

good work :) - i am a tester more than a coder.

if you know anyone that wants vista kernel bugs, give them my email
addy. (i found them by usage, not by fuzzing)

> Not under the 'LMH'
> nickname, though. I'm jealous of people like Ingo Molnar and Andrew
> Morton, and many other guys who have done really nice stuff. With
> mistakes, from times to times, still great mufu.

everyone makes mistakes, thats why I have a job. my job is to find
those mistakes.

>
> > how about statistical analysis of results? normalisation of program
> > flow?  data mapping, dependency mapping, thread mapping?
>
> Listen, I know wording like 'statistical analysis', etc, is shiny and
> sounds really nice. But as I said earlier, I haven't seen a single
> technical fact in your discussions on this list.

how else do i say it then? i dont give a shit how it sounds.  have you
done any high level maths? have you ever normalised results? wtf else
umbrella do you put it under?  no one has asked for technical info.
fuck it is not my job to educate you, no one educated me...

ask and you will find that i am happy to go into detail.

>
> I'm not trying to kick you out

dunno what that means

> nor making any kind of attack,

but you did though... on my use of language.. if nothing else, i dont
know better words to use.

> just
> curious about really technical information about what's going on in
> your head.

ask questions then, i am not stupid, i know i dont give the whole
clue, just little bits, ask challenging questions and you might be
surprised.

> You may have nice ideas, but failing to expose them
> properly won't be of help, sadly.

help to who? how do i expose my ideas? why would i want to?  I am not
trying to give ideas away, i am trying to get people to have their
own, just down my line of thinking.  i am not altruistic. fuck em
all... thats what i say.

anyways,

for something a little more technical

This is an email I sent someone else. (sorry mate, ill give a few
other ones for the 'project' :) )

I do not know of any fuzzer that would find this.  I do not know of
any fuzzing method, except the one I use that would find this.

=====
The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

Weight,
location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

marker,
location: 000027e4
value   : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4
[ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]
======

bug hugs,

disco.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: djtest.doc
Type: application/msword
Size: 26624 bytes
Desc: not available
Url : http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20061212/915946d4/attachment-0001.doc

More information about the fuzzing mailing list