opessl fuzzing测试学习
xinali opened this issue · 0 comments
xinali commented
opessl fuzzing测试学习
openssl是一个非常重要的库,并且开源,针对其的fuzzing测试也比较多,是一个非常好的学习fuzzing的途径
漏洞列表
下面列出搜集的使用fuzzing方式测出的openssl漏洞,之后对每个漏洞做专门分析
| CVE | 说明 |
|---|---|
| CVE-2014-0160 | openssl HeartBleed (CVE-2014-0160) |
| CVE-2015-1788 | Malformed ECParameters causes infinite loop (CVE-2015-1788) |
| CVE-2015-3193 | miscalculation in OpenSSL's BN_mod_exp |
CVE-2014-0160
cve-2015-1788
根据hackone的说明,影响
OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n
OpenSSL 1.0.0d (and below) users should upgrade to 1.0.0s
OpenSSL 0.9.8r (and below) users should upgrade to 0.9.8zg
测试环境准备
git clone https://github.com/openssl/openssl
cd openssl
git checkout OpenSSL_1_0_1
CC=afl-gcc ./config no-ec2m
make
openssl 版本
/src/openssl# ./apps/openssl version
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.1 14 Mar 2012
fuzzing测试代码
#include <stdio.h>
#include <stdint.h>
#include <stdio.h>
#include <assert.h>
#include <openssl/ec.h>
int main(int argc, char **argv)
{
unsigned char buf[1024];
assert(argc == 2);
FILE *f = fopen(argv[1], "rb");
assert(f);
size_t r = fread(buf, 1, 1024, f);
printf("read = %zu\n", r);
unsigned char *ptr = buf;
EC_GROUP *ecg = d2i_ECPKParameters(NULL, &ptr, r);
if (ecg)
EC_GROUP_free(ecg);
return 0;
}编译
afl-gcc -I /root/openssl/include/ fuzzing_openssl.c -o fuzzing_openssl /root/openssl/libssl.a /root/openssl/libcrypto.a -ldl效果
但是测试了几天都没有结果,做如下测试
# ./fuzzing_openssl input/broken-cert.der
read = 598
竟然没有进入无限循环,这个问题想了很多的办法,也测试了很长时间,但始终没有测试出来,不知原因