uafbench: A C repository from BINSEC development team

UAF Fuzzing Benchmark

We create a fuzzing benchmark of Use-After-Free (UAF) and Double-Free (DF) bugs for our evaluations. It includes recent bugs found by existing (directed) greybox fuzzers of real-world programs. We provide scripts, Valgrind's stack traces as targets and initial seeds of each subject. Please follow the instructions to install fuzzers like AFL(-QEMU), AFLGo and UAFuzz.

# Environment variables
export AFL=/path/to/afl-2.52b
export AFLGO=/path/to/aflgo
export IDA_PATH=/path/to/ida-6.9/idaq
export GRAPH_EASY_PATH=/path/to/graph-easy
export UAFUZZ_PATH=/path/to/uafuzz

# Avoid hang when fuzzing
export MALLOC_CHECK_=0

# Checkout the benchmark
git clone https://github.com/strongcourage/uafbench.git
cd uafbench; export UAFBENCH_PATH=`pwd`

# Fuzz CVE-20018-20623 with UAFuzz and timeout 60 minutes
$UAFBENCH_PATH/CVE-2018-20623.sh uafuzz 60 $UAFBENCH_PATH/valgrind/CVE-2018-20623.valgrind

# Fuzz patched version of CVE-2018-6952
$UAFBENCH_PATH/CVE-2019-20633.sh uafuzz 360 $UAFBENCH_PATH/valgrind/CVE-2018-6952.valgrind

Bug ID	Program	Type	Crash	Command	Files
CVE-2018-20623	readelf (923c6a7)	UAF	❌	`readelf -a @@`	PoC, Traces, Fuzzing script
giflib-bug-74	gifsponge (72e31ff)	DF	❌	`gifsponge < @@`	PoC, Traces, Fuzzing script
yasm-issue-91	yasm (6caf151)	UAF	❌	`yasm @@`	PoC, Traces, Fuzzing script
CVE-2016-4487	cxxfilt (2c49145)	UAF	✔️	`cxxfilt < @@`	PoC, Traces, Fuzzing script
CVE-2018-11416	jpegoptim (d23abf2)	DF	❌	`jpegoptim @@`	PoC, Traces, Fuzzing script
mjs-issue-78	mjs (9eae0e6)	UAF	❌	`mjs -f @@`	PoC, Traces, Fuzzing script
mjs-issue-73	mjs (e4ea33a)	UAF	❌	`mjs -f @@`	PoC, Traces, Fuzzing script
CVE-2018-11496	lzrip (ed51e14)	UAF	❌	`lrzip -t @@`	PoC, Traces, Fuzzing script
CVE-2018-10685	lzrip (9de7ccb)	UAF	❌	`lrzip -t @@`	PoC, Traces, Fuzzing script
CVE-2019-6455	rec2csv (97d20cc)	DF	❌	`rec2csv @@`	PoC, Traces, Fuzzing script
CVE-2017-10686	nasm (7a81ead)	UAF	✔️	`nasm -f bin @@ -o /dev/null`	PoC, Traces, Fuzzing script
gifsicle-issue-122	gifsicle (fad477c)	DF	❌	`gifsicle @@ test.gif -o /dev/null`	PoC, Traces, Fuzzing script
CVE-2016-3189	bzip2 (962d606)	UAF	✔️	`bzip2recover @@`	PoC, Traces, Fuzzing script

UAF bugs found by UAFuzz

Bug ID	Program	Type	Command	Relevant bugs
CVE-2019-20633	patch	DF	`patch -Rf < @@`	CVE-2018-6952
#1269, #1427, #1440	MP4Box	UAF	`MP4Box -info @@`	#1340, #1427
#702253	mutool	UAF	`mutool draw -o /dev/null -R 832 -h 22 @@`	#701294
#4266	fontforge	UAF	`fontforge -lang=ff -c 'Open($1)' @@`	#4084
#134324, #17117	perl	UAF	`perl @@`	#16889, #17051
#25821	readelf	DF	`readelf -a @@`
#25823	nm-new	UAF	`nm-new -C @@`
	boolector	UAF	`boolector @@`	#41

binsec/uafbench

UAF Fuzzing Benchmark

UAF bugs found by UAFuzz