Security professionals need to know about fuzzers
There is a gold paper that has recently been posted in the SANS Reading Room and you should read it. In this post I will tell you why. However, first, a word about fuzzers.
According to OWASP: Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.
Webopedia defines Black Box testing as: A software testing technique whereby the internal workings of the item being tested are not known by the tester. For example, in a black box test on a software design the tester only knows the inputs and what the expected outcomes should be and not how the program arrives at those outputs. The tester does not ever examine the programming codeand does not need any further knowledge of the program other than its specifications.
Malformed/semi-malformed data injection means sending all kind of junk to some part of the program that accepts input. The expectation is that not all inputs are properly validated. If we hit the software with enough unexpected values we have a very good chance of breaking something.
The implication of automated in this case is to create a framework that allows us to "stress test" software in a non-labor intensive, repeatable manner. Automated is important as there are a number of steps or phases: “identify target, identify inputs, generate fuzzed data, execute fuzzed data, monitor for exceptions and determine exploitability, (sometimes we cause the program to crash, but we cannot achieve control).
On to the gold paper. Sulley, like Peach and Peach Community are common fuzzers with an ability to fuzz network protocols. Aron Warren's paper describes the process for using Sulley to fuzz for a vulnerability in an implementation of the unencrypted telnet protocol.
The use case in the paper is Telnet. As all security professionals know, we should not be using Telnet, we also know people still do. The author walks you through setting up Sulley on a SANS SIFT workstation. He will also introduce the language, or grammar, that Sulley requires. Here is an example:
Primitives
s_static() creates a static unmutating value.
An example call would be: s_static(“\n\r”).s_int() creates a 4 byte word.
An example call with an initial value of 555, formatted in ASCII and is a mutating integer would be: s_int(“555”, format=”ascii”, fuzzable=True)
Don't panic, there is much more documentation on the Sulley site. Go to the SANS Reading Room, grab the paper, read it and think about the concept even if you don't choose to duplicate Aron's work in your own lab. Finally, why did they name it Sulley? Here is a clue.