Posted on 04/13/2006 10:37:32 AM PDT by ShadowAce
Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.
The technique - called packet, or data, fuzzing - is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers.
In another example, it took less than an hour at the CanSecWest Conference last week for Moore and computer-science student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.
"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."
Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a website visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.
Microsoft stressed that the issues are still under investigation.
"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."
The effectiveness of fuzzing at defining quality and security issues is nothing new.
Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for internet telephony.
Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on web browsers and desktop security software to date.
"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.
The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious websites.
FIREFOX RU-HOIUH&#)(*$)(PJNLKJPOI)(#&-LES!..........oops! fuzzy data..........
LOL!
UNfortunately, those are in Quicktime format, and I am running under Linux--no QT plugin is available for Firefox under Linux. :(
SHUT UP!!!
That's OK, though. I can just "wget" them and view them in Xine.
Hah! Flaws in ASN.1. Do like I did, just write your own parser/encoder. ;-) Actually, I only handled a subset of BER. It was a great learning experience.
You ever mess with Mplayer?
Bump for later
yeah--a little. Wazzup?
You can crash IE with a static web page that validates perfectly at the W3C for CSS and XHTML. Don't believe me? Skeptics are welcome to try it.
This page has been up for about a year and a half now.
when you run into stuff like that look at the source code.
http://media.revver.com/broadcast/19542/video.mov
here is the file if you want to watch it on a linux system.
mplayer picked it up fine.
I guess I'm not the only one who hunts for links in the sourcecode. ;O)
I just realized you needed QT and I linked you to Real.
WTF was I thinking? Not very helpful.
I don't know why, but I was able to access it with the mozilla plugin for MPlayer.
Maybe I just got lucky...
I took a look at the code behind the page, it took me less than a minute to find what caused the problem and fix it. And, I'm not a web designer, in any real sense of the word.
Before you ask, I use Firefox 95% of the time, I did it just to see how difficult it would be.
But that's the point. The page is 100% valid CSS and XHMTL. There was nothing to fix, only somthing to change so that a browser doesn't crash. BTW, did your fix result in valid CSS and XHTML?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.