[fuzzing] Bug example for 2 variable interaction
Charles Miller
cmiller at securityevaluators.com
Mon Feb 18 07:32:02 CST 2008
Thanks all for the bugs. Seems they do exist.
Charlie
On Feb 18, 2008, at 6:26 AM, Thomas Pollet wrote:
> Hi,
>
>
> On 14/02/2008, Charles Miller <cmiller at securityevaluators.com>
> wrote: Can anyone think of a bug in a real product (preferably found
> via
> fuzzing) that was the result of a two (or more) variable interaction
> (not including block-based things like a length and its associated
> long string). It seems every bug I can remember finding via fuzzing
> can be reduced to a single byte/field/variable. This is either
> because that is what all the bugs look like or because that is all
> fuzzing can find (at least the way I fuzz). Also, I don't mean to
> exploit it, which may require many fields in the protocol to be set to
> particular values, but rather just to reveal the presence of the bug.
> Thoughts?
>
> don't know if this was found by fuzzing,
>
> http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
>
> "During unpacking, two untrusted values are taken directly from the
> file without being validated. These values are later used in an
> arithmetic operation to calculate the size used to allocate a heap
> buffer."
>
> the ssize and dsize sum need to wrap to some lower value.
>
> code: http://google.com/codesearch?hl=en&q=+clamav+dsize+ssize+show:rtPDCyAIkl0:6GWLphImvY4:IsIYqwuA5xE&sa=N&cd=2&ct=rc&cs_p=http://gentoo.osuosl.org/distfiles/clamav-0.90.tar.gz&cs_f=clamav-0.90/libclamav/pe.c#first
>
> exploit: http://www.milw0rm.com/exploits/4862
>
> Regards,
> Thomas Pollet
>
>
>
More information about the fuzzing
mailing list