Browser Fuzzing Tool: Cross_Fuzz
Ref_fuzz and cross_fuzz are a pair of fuzzers developed to stress-test DOM bindings in popular browsers. Both of these tools turned out to be dead effective against WebKit, Firefox, and Opera.
Cross_Fuzz is an effective cros document DOM fuzzer tool enabling researchers to identify the vulnerabilities/bugs in the web browser. This tool is released by Micheal Zalewski on first day of Jan 2011, Micheal claims the fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.
Fuzzing is basically means testing the browsers with various conditions/inputs to the program under test generated on random factors. Objective is to create unexpected conditions and see if the browser under test handles error conditions or handles the stress properly without revealing too much information.
Cross_Fuzz with its extended capability started revealing the potential 0-days.cross_fuzz dynamically generates extremely long interconnected sequences of DOM operations across multiple documents, inspects returned objects, recurses into them, and creates circular node references that stress-test garbage collection algorithms. It can also be easily extended to fuzz any DOM-enabled documents or browser plugins simply by providing new target documents.But, because of the design of the fuzzer, it is difficult to get clean, deterministic outputs.
Also the tool design is cruel to the point of torture of a browser's DOM engine. The fuaer has too much randomness in it that it often makes reproduction of error difficult. Many of the reports to vendors from the use of this tool remain in a state of vagueness which makes them difficult to fix. Zalewski has released the tool in the hope that community involvement will help to make the tool more helpful to developers.
But the tool found several exploitable and fairly well-defined vulnerabilities in Internet Explorer which Zalewski reported to Microsoft in July. They acknowledged receipt, but did not reply further until just recently to ask that the release of the tool be delayed.
The following summarizes notification and patch status for all the affected vendors:
- Internet Explorer: MSRC notified in July 2010. Fuzzer known to trigger several clearly exploitable crashes (example stack trace) and security-relevant GUI corruption issues (XP-only, example).Reproducible, exploitable faults still present in current versions of the browser. I have reasons to believe that one of these vulnerabilities is known to third parties.Comment: Vendor has acknowledged receiving the report in July (case
10205jr), but has not contacted me again until my final ping in December. Following that contact attempt, they were able to quickly reproduce multiple exploitable crashes, and asked for the release of this tool to be postponed indefinitely. Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused; see this timeline for more.
- All WebKit browsers: WebKit project notified in July 2010. About two dozen crashes identified and addressed in bug 42959 and related efforts by several volunteers. Relevant patches generally released with attribution in security bulletins. Some extremely hard-to-debug memory corruption problems still occurring on trunk.
- Firefox: Mozilla notified in July 2010. Around 10 crashes addressed in bug 581539, with attribution in security bulletins where appropriate. Fuzzing approach subsequently rolled into Jesse Ruderman'sfuzzing infrastructure under bug 594645 in September; from that point on, 50 additional bugs identified (generally with no specific attribution at patch time). Several elusive crashes still occurring on trunk. Bad read / write offset crashes in
npswf32.dllcan also be observed if the plugin is installed.
- Opera: vendor notified in July 2010. Update provided in December states that Opera 11 fixed all the frequent crashes, and that a proper security advisory will be released at a later date (release noteslist a placeholder statement: "fixed a high severity issue"). Several tricky crashes reportedly still waiting to be resolved.Note that with Opera, the fuzzer needs to be restarted frequently.
Zalewski has updated his timeline of work on this tool, the vulnerabilities found with it and his communications with Microsoft to indicate that the earlier version of the fuzzer provided to Microsoft in July did indeed produce the crashes.
Downloading the tool: Click Here
IMPORTANT: You need to allow popups from lcamtuf.coredump.cx for the fuzzer to work properly.