Fuzzing 3

2023-02-07

WinAFL fuzzing in action

Introduction

Armed with some understanding of AFL and WinAFL’s theory, we can proceed to actually use it to fuzz some toy and production binaries.

Build

Building WinAFL is easy if you have Visual Studios. Just follow the instructions on the git repo.

First build Dynamorio:

git clone https://github.com/DynamoRIO/dynamorio.git

cd dynamorio && mkdir build && cd build

cmake -G"Visual Studio 17 2022" -A x64 ..

cmake --build . --config RelWithDebInfo

Then:

git clone https://github.com/googleprojectzero/winafl.git
cd winafl

git submodule update --init --recursive

mkdir build64 && cd build64

cmake -G"Visual Studio 17 2022" -A x64 .. -DDynamoRIO_DIR="<path to dynamorio cmake>" -DINTELPT=1

cmake --build . --config Release

You should find the built afl-fuzz binary in <winafl git path>/build64/bin/Release

Note: It is recommended to comment out line 238 in winafl.c as shown below

        if(options.debug_mode) {
            dr_fprintf(winafl_data.log, "crashed\n");
        } else {
WriteCommandToPipe('C');
WriteDWORDCommandToPipe(exception_code);				
        }
        //dr_exit_process(1);
}

This function kills the drrun process if it detects a crash, which is 1. redundant since the process will already “crash”, and 2. masks Windows error messages which makes debugging Dynamorio a pain

Test1

Just like in the Symbolic Execution series, let’s start off with a simple toy binary to familiarise ourselves with the arguments and intricacies of the tool.

stringhelper.c:

#include <Windows.h>

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,  // handle to DLL module
    DWORD fdwReason,     // reason for calling function
    LPVOID lpvReserved)  // reserved
{
    // Perform actions based on the reason for calling.
    switch (fdwReason) {
    case DLL_PROCESS_ATTACH:
        // Initialize once for each new process.
        // Return FALSE to fail DLL load.
        break;

    case DLL_THREAD_ATTACH:
        // Do thread-specific initialization.
        break;

    case DLL_THREAD_DETACH:
        // Do thread-specific cleanup.
        break;

    case DLL_PROCESS_DETACH:

        if (lpvReserved != NULL) {
            break; // do not do cleanup if process termination scenario
        }

        // Perform any necessary cleanup.
        break;
    }
    return TRUE;  // Successful DLL_PROCESS_ATTACH.
}

__declspec(dllexport) char *StringSpaceToComma(char *input)
{
    if (!input)
        return NULL;

    for (char *cur = input; *cur; cur++) {
        if (*cur == ' ')
            *cur = ',';

        if (cur[0] == 'A' && cur[1] && cur[1] == 'B' && cur[2] && cur[2] == 'C')
            *(int *)0 = 0;
    }

    return input;
}

This is a super simple DLL that converts spaces in a string to comma.

Compile with

1	cl /LD stringhelper.c

I initially intended to model CVE-2021-3156 for a subtle heap overflow, but AFL doesn’t do well with ASAN turned on…(https://github.com/googleprojectzero/winafl/blob/master/afl_docs/notes_for_asan.txt). This required the scenario design to be slightly more wrangled, which kind of demolishes the purpose of a toy binary.

Now we write a small harness for it

#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>

#define _CRT_SECURE_NO_WARNINGS

#define SAFE_LOADLIBRARY(x) (LoadLibraryA(x) ? LoadLibraryA(x) : GetModuleHandleA("ntdll.dll"))

#define MAX_SAMPLE_SIZE 1000000
#define SHM_SIZE (4 + MAX_SAMPLE_SIZE)

unsigned char *shm_data;

bool use_shared_memory;

int setup_shmem(const char* name) {
  HANDLE map_file;

  map_file = OpenFileMapping(
    FILE_MAP_ALL_ACCESS,   // read/write access
    FALSE,                 // do not inherit the name
    name);            // name of mapping object

  if (map_file == NULL) {
    puts("Error accessing shared memory");
    return 0;
  }

  shm_data = (unsigned char*)MapViewOfFile(map_file, // handle to map object
    FILE_MAP_ALL_ACCESS,  // read/write permission
    0,
    0,
    SHM_SIZE);

  if (shm_data == NULL) {
    puts("Error accessing shared memory");
    return 0;
  }

  return 1;
}

__declspec(noinline) int fuzz(char *name, char *(*fn)(char *))
{
    char *sample_bytes = NULL;
    uint32_t sample_size = 0;

    if (use_shared_memory) {
        sample_size = *(uint32_t *)(shm_data);
        if(sample_size > MAX_SAMPLE_SIZE) sample_size = MAX_SAMPLE_SIZE;
        sample_bytes = (char *)malloc(sample_size + 1);
        memcpy(sample_bytes, shm_data + sizeof(uint32_t), sample_size);
        sample_bytes[sample_size] = 0; // null terminate our string for fuzz
    }
    else {
        FILE *fp = fopen(name, "rb");
        if (!fp) {
            printf("Error opening %s\n", name);
            return 0;
        }
        fseek(fp, 0, SEEK_END);
        sample_size = ftell(fp);
        fseek(fp, 0, SEEK_SET);
        sample_bytes = (char *)malloc(sample_size + 1);
        fread(sample_bytes, 1, sample_size, fp);
        sample_bytes[sample_size] = 0; // null terminate our string for fuzz
        fclose(fp);
    }

    fn(sample_bytes);

    if (sample_bytes) free(sample_bytes);

    return 0;
}

int main(int argc, char **argv)
{
    if(argc != 3) {
        printf("Usage: %s <-f|-m> <file or shared memory name>\n", argv[0]);
        return 0;
    }

    if (!strcmp(argv[1], "-m")) {
        use_shared_memory = true;
    } else if(!strcmp(argv[1], "-f")) {
        use_shared_memory = false;
    } else {
        printf("Usage: %s <-f|-m> <file or shared memory name>\n", argv[0]);
        return 0;
    }

    // map shared memory here as we don't want to do it
    // for every operation
    if(use_shared_memory) {
        if(!setup_shmem(argv[2])) {
            puts("Error mapping shared memory");
            return 0;
        }
    }

    char *(*fn)(char *) = GetProcAddress(SAFE_LOADLIBRARY("stringhelper.dll"), "StringSpaceToComma");
    if (!fn) {
        puts("Error opening dll");
        return 0;
    }

    fuzz(argv[2], fn);
    return 0;
}

Remember how we dicussed shared memory delivery in the previous post? There’s no reason to not enable this feature, so I adapted https://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp for our use case.

We copy the sample data into a malloced buffer, then null terminate it to conform with our test DLL’s requirements. Of course the data might contain nulls, but it won’t jeopardise execution flow and raise false positives.

Compile…

1	cl harness.c

WinAFL is kind of buggy with dynamic symbols resolution so I didn’t build it with that feature(-DUSE_DRSYMS=1). target_offset can be easily resolved with a debugger or disassembler.

Pre Fuzz

Before we fuzz, it’s nice to do a test run with drrun just to make sure the harness is working.

1	"<install path>\drrun.exe" -c "<install path>\winafl.dll" -debug -target_module harness.exe -target_offset 0x1090 -fuzz_iterations 10 -nargs 3 -- harness.exe -f a.txt

Here we specify the already built winafl.dll as a client library to drrun. We will be performing 10 dry runs against harness.exe:0x1090 which is the offset of our fuzz function from the module base. a.txt is just a text file containing the word hello.

NOTE: target_module here isn’t referring to the path of the module, but the ACTUAL NAME of the module. The same can be said for coverage_module. I spent at least an hour trying to debug this issue… until

else if (strcmp(token, "-target_module") == 0) {
            USAGE_CHECK((i + 1) < argc, "missing module");
            strncpy(options.fuzz_module, argv[++i], BUFFER_SIZE_ELEMENTS(options.fuzz_module));
        }

...

if(_stricmp(module_name, options.fuzz_module) == 0) {
            if(options.fuzz_offset) {
                to_wrap = info->start + options.fuzz_offset;
            } else {
                //first try exported symbols
                to_wrap = (app_pc)dr_get_proc_address(info->handle, options.fuzz_method);

Another day of hating third party things

If all is well, a log file should be generated with the content

1	Everything appears to be running normally.

amidst other output. That’s our green light to commence fuzzing.

Fuzzing

"<install path>\afl-fuzz.exe" -s -i in -o out -D "<install path>\dynamorio\build\bin64" -t 5000 -- -coverage_module harness.exe -coverage_module stringhelper.dll -fuzz_iterations 5000 -target_module harness.exe -target_offset 0x1090 -nargs 3 -- harness.exe -m @@

-s instructs WinAFL to use shared memory delivery, in is a directory containing our a.txt and out is an empty output directory for the results. -D points to Dynamorio install path and -t is for 5000ms timeout.

We instrument both harness.exe and stringhelper.dll for coverage, and only restart the process every 5000 loops(persistent mode). WinAFL will replace @@ with the actual shared memory/file name when it runs.

Running it for a few seconds finds us almost a dozen crashes.

                 WinAFL 1.16b based on AFL 2.43b (harness.exe)

+- process timing -------------------------------------+- overall results ----+
|        run time : 0 days, 0 hrs, 0 min, 42 sec       |  cycles done : 5     |
|   last new path : 0 days, 0 hrs, 0 min, 1 sec        |  total paths : 56    |
| last uniq crash : 0 days, 0 hrs, 0 min, 4 sec        | uniq crashes : 11    |
|  last uniq hang : none seen yet                      |   uniq hangs : 0     |
+- cycle progress --------------------+- map coverage -+----------------------+
|  now processing : 55 (98.21%)       |    map density : 0.07% / 0.11%        |
| paths timed out : 0 (0.00%)         | count coverage : 1.83 bits/tuple      |
+- stage progress --------------------+ findings in depth --------------------+
|  now trying : arith 8\8             | favored paths : 25 (44.64%)           |
| stage execs : 10.3k/74.7k (13.73%)  |  new edges on : 31 (55.36%)           |
| total execs : 762k                  | total crashes : 149 (11 unique)       |
|  exec speed : 20.9k/sec             |  total tmouts : 0 (0 unique)          |
+- fuzzing strategy yields -----------+---------------+- path geometry -------+
|   bit flips : 4/40.7k, 3/40.6k, 0/40.5k             |    levels : 6         |
|  byte flips : 0/5082, 0/3541, 0/3454                |   pending : 6         |
| arithmetics : 0/138k, 0/25.4k, 0/9088               |  pend fav : 1         |
|  known ints : 4/13.6k, 0/76.6k, 0/91.6k             | own finds : 55        |
|  dictionary : 0/0, 0/0, 0/14.5k                     |  imported : n/a       |
|       havoc : 53/177k, 2/68.6k                      | stability : 95.83%    |
|        trim : 3.83%/2238, 28.46%                    +-----------------------+
^C----------------------------------------------------+   [cpu000001:   4%]

NOTE: Sometimes crashes may be perceived by AFL as hangs. This can be due to a number of reasons:

There’s a post mortem debugger present
WER is dropping crash dumps and that’s taking time
Program is crashing but default timeout too short, usually comes with warnings like nudge operation failed because the program has exited just as WinAFL instructs drconfig to kill it
Edge case bugs in WinAFL

I suggest disabling all system wide error reporting softwares, as well as any JIT/post mortem debuggers.

If you see too many hangs, consider increasing the timeout value.

Crash Analysis

AFL has two minimization tools available. afl-cmin minimizes the number of corpus present, by trying to group corpuses with similar tuples together(see previous post for more details). afl-tmin minimizes an individual testcase by removing/replacing blocks of code with 0s(again, see previous post).

afl-cmin is usually used in pre fuzzing steps. Before fuzzing an image parser for example, you may scrape the web for thousands of images as corpuses. Running afl-cmin on the corpuses will return a minimized set of corpuses that allows you to still exercise all tuples that the thousands would have. You can also use it to minimize testcases in out\queue to prepare for post fuzz coverage analysis.

In our case however, we’ll use afl-tmin.

"<afl path>\afl-tmin.exe" -D <dynamorio build path>\bin64 -i "out\crashes\id_000000_00_EXCEPTION_ACCESS_VIOLATION" -o minimized -- -coverage_module harness.exe -coverage_module stringhelper.dll -target_module harness.exe -target_offset 0x1090 -nargs 3 -- harness.exe -f @@

The arguments are essentially identical, just change delivery method from shared memory to file.

$ xxd out/crashes/id_000000_00_EXCEPTION_ACCESS_VIOLATION
00000000: 3687 6841 3b41 4243 415e 5868 4b10 4b6c  6.hA;ABCA^XhK.Kl

$ xxd minimized
00000000: 4142 43                                  ABC

For the scope of this toy, afl-tmin worked like a charm, reducing the initial convoluted testcase into a concise and straightforward trigger.

Coverage Analysis

What’s fuzzing if we don’t check coverage?

If you use IDA or Binary Ninja, the Lighthouse https://github.com/gaasedelen/lighthouse plugin is well tested and works amazingly.

In the unfortunate case where you have access to neither, you can use Ghidra with the dragondance plugin https://github.com/0ffffffffh/dragondance

First we use afl-cmin to compress the testcases in the out\queue directory. These testcases are meant to explore all paths that AFL have currently ventured.

python "<winafl install path>\winafl-cmin.py" -i out -o minset --crash-dir minset\ --hang-dir minset\ -D <dynamorio install path>\build\bin64 -t 100000 -coverage_module harness.exe -coverage_module stringhelper.dll -target_module harness.exe -target_offset 0x1090 -nargs 3 -- harness.exe -f @@

This will compress all testcases into new directory minset, including crashes and hangs since we’re doing post fuzz analysis.

We’ll run drrun on every testcase, generating multiple log files.

To run on a specific testcase:

1	<dynamorio path>\bin64\drrun.exe -t drcov -logdir logs -- harness.exe -f minset\id_00_id_000000

This will produce as many log files as the number of testcases you have.

At time of writing, dragondance does not allow you to import a directory of log files, so we have to either add every file manually using the GUI, or merge the log files into one.

I adapted https://github.com/vanhauser-thc ‘s drcov-merge script for Linux such that it works for Windows.

#include <stdio.h>
#include <Windows.h>
#include <string.h>

#define MAX_ENTRIES 128000 * 1000

typedef struct _bb_entry_t {
    DWORD start; /* offset of bb start from the image base */
    WORD size;
    WORD mod_id;
} bb_entry_t;

int main(int argc, char *argv[]) {
  bb_entry_t bb;
  BYTE   *header = NULL, *data, *ptr, text[64], unique = 0;
  DWORD   header_len, idx = 2, off, s = sizeof(bb_entry_t), start, count, added, i;
  DWORD   entries = 0;
  HANDLE  cur, curmapping, out;
  LPVOID  mapbase;
  DWORD   cursz, written;
  
  if (argc > 1 && strcmp(argv[1], "-u") == 0) {
    unique = 1;
    argv++;
    argc--;
  }
  
  bb_entry_t *bbs = VirtualAlloc(NULL, MAX_ENTRIES * sizeof(bb_entry_t), MEM_COMMIT, PAGE_READWRITE);


  if (argc < 4 || strncmp(argv[1], "-h", 2) == 0) {
    printf("Syntax: %s [-u] drcov.log drcov.1,log drcov.2.log drcov.3.log ...\n", argv[0]);
    puts("Merges all drcov logs to the first specified filename");
    puts("Option -u uniques the basic block information");
    VirtualFree(bbs, MAX_ENTRIES * sizeof(bb_entry_t), MEM_RELEASE);
    return 0;
  }

  if ((out = CreateFileA(argv[1], GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL)) == INVALID_HANDLE_VALUE) {
    printf("Error creating file : 0x%08X\n", GetLastError());
    VirtualFree(bbs, MAX_ENTRIES * sizeof(bb_entry_t), MEM_RELEASE);
    return 0;
  }

  while (idx < argc) {
    if ((cur = CreateFileA(argv[idx], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL)) == INVALID_HANDLE_VALUE) {
      printf("Error opening file %s : 0x%08X\n", argv[idx], GetLastError());
      goto next;
    }

    cursz = GetFileSize(cur, NULL);
    if (!cursz) {
        printf("File %s is empty?", argv[idx]);
        CloseHandle(cur);
        goto next;
    }

    if ((curmapping = CreateFileMappingA(cur, NULL, PAGE_READONLY | SEC_COMMIT, 0, 0, "CurMap")) == NULL) {
        printf("Error creating map of file %s : 0x%08X\n", argv[idx], GetLastError());
        CloseHandle(cur);
        goto next;
    }

    if ((data= MapViewOfFile(curmapping, FILE_MAP_READ, 0, 0, 0)) == NULL) {
        printf("Error mapping file %s : 0x%08X\n", argv[idx], GetLastError());
        CloseHandle(curmapping);
        CloseHandle(cur);
        goto next;
    }

    if ((ptr = strstr(data, "BB Table: ")) == NULL) {
      printf("%s: no drcov header\n", argv[idx]);
      goto unmap; 
    }

    off = ptr - data;
    if (!header) {
      if ((header = malloc(off)) == NULL) {
        puts("Malloc fail... exiting");
        UnmapViewOfFile(data);
        CloseHandle(curmapping);
        CloseHandle(cur);
        CloseHandle(out);
        VirtualFree(bbs, MAX_ENTRIES * sizeof(bb_entry_t), MEM_RELEASE);
        return 0;
      }
      memcpy(header, data, off);
      WriteFile(out, header, off, &written, NULL);
      header_len = off;
    } else {
      if (memcmp(header, data, header_len > off ? header_len : off) != 0) {
        printf("%s: different drcov header, maybe issue?\n", argv[idx]);
        //goto unmap;
      }
    }

    while (*ptr != '\n' && ptr - data < cursz) ++ptr;
    if (*ptr != '\n')  {
      printf("%s: no drcov header\n", argv[idx]);
      goto unmap; 
    } else {
      ++ptr;
    }

    printf("Processing %s (%lu bytes) ... ", argv[idx], cursz);
    
    start = ptr - data;    
    count = 0;
    added = 0;

    while (cursz - start >= s) {
      int found = 0;
      if (unique)
        for (i = 0; i < entries && !found; ++i)
          if (memcmp(&bbs[i], data + start, s) == 0) found = 1;
      if (!found) {
        if (entries >= MAX_ENTRIES) {
          fprintf(stderr, "MapFull!\n");
        } else {
          memcpy(&bbs[entries++], data + start, s);
          ++added;
        }
      }
      start += s;
      ++count;
    }

    printf("%u entries, %u new\n", count, added);

unmap:  
    UnmapViewOfFile(data);
    CloseHandle(curmapping);
    CloseHandle(cur);

next:
    ++idx;
 }

  sprintf(text, "BB Table: %u bbs\n", entries);
  WriteFile(out, text, strlen(text), &written, NULL);
  
  printf("Writing %u entries into %s\n", entries, argv[1]);

  for (i = 0; i < entries; ++i)
    WriteFile(out, &bbs[i], s, &written, NULL);

  printf("Done.\n");

  CloseHandle(out);
  free(header);
  VirtualFree(bbs, MAX_ENTRIES * sizeof(bb_entry_t), MEM_RELEASE);
  return 0; 
}

We can also script the whole workflow using python.

import os, sys

# Usage: x.py <testcases dir> <output dir>
# Copy all testcases into testcase dir beforehands

os.mkdir(sys.argv[2])
for file in os.listdir(sys.argv[1]):
    if "bitmap" in file or "stats" in file:
        continue
    os.system(fr"C:\Users\chenl\Desktop\hacking\winafl\dynamorio\build\bin64\drrun.exe -t drcov -logdir {sys.argv[2]} -- harness.exe -f {sys.argv[1]}\\{file}")

os.chdir(sys.argv[2])
os.system("del /f merged.log")
os.system(fr"C:\Users\chenl\Desktop\hacking\winafl\drcov-merge-main\drcov-merge.exe merged.log {' '.join(os.listdir())}")

The final merged logs file will be called merged.log, which we can import into dragondance conveniently.

The flow graph on the left side is our small StringSpaceToComma function. The darker the colour, the more times the basic block was executed.

Almost all our blocks were covered, apart from the one involved in the check for a null pointer, which our harness made sure to not pass in. Neat!

It is important to note that unlike Symbolic Execution, the goal of Fuzz Testing is not to attain maximum coverage after execution. Instead, we should be going for maximum coverage in our testcases BEFORE execution, so our mutated values can taint a larger area of code.

Test2

Enough with toy binaries. Let’s move on to a production software, KeePassXC https://github.com/keepassxreboot/keepassxc

KeePassXC is an open source, community driven fork of KeePass, a password manager.

I chose KeePassXC as a target because it’s easy to fuzz(open source), highly used(15k stars) and quite complicated.

In this post we will be fuzzing the database unlock function, which includes parsing the kdbx database.

The better way to target such a program is to compile it on Linux and use AFL++, given its open source, cross platform nature. However I’m just here to have fun so WinAFL dumb mode it is.

Building

Building KeePassXC from source(on Windows) is honestly painful. The docs are terrible and shit keeps happening.

You can try to follow the official wiki:

https://github.com/keepassxreboot/keepassxc/blob/develop/INSTALL.md

and come back here if you struggle.

I assume you have Visual Studios installed.

1. Install ruby and asciidoctor

Install ruby and asciidoctor following instructions on https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows

You might face an error when running gem, that reports something like UndefinedCoversionError.

Comment out the line

1	LOCALE = Encoding.find(Encoding.locale_charmap)

in <install path>\lib\ruby\3.2.0\win32 and change it to

1	LOCALE = Encoding::UTF_8

2. Download vcpkg

Download and unzip the pre-built vcpkg export by following link on https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows

3. Download KeePassXC source

https://keepassxc.org/download/#source

4. Configure cmake

Open up x64 Native Tools Command Prompt

1
2
3

mkdir build && cd build

cmake -DWITH_XC_AUTOTYPE=OFF -DWITH_XC_ALL=OFF -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=<your download path>\vcpkg-export-20221023-161021\installed\x64-windows\share\cmake\Qt5\ -DCMAKE_TOOLCHAIN_FILE=<your download path>\vcpkg-export-20221023-161021\scripts\buildsystems\vcpkg.cmake -DCMAKE_PREFIX_PATH=<your download path>\vcpkg-export-20221023-161021\installed\x64-windows ..

We turn all extra features off since we’re not targeting them.

Harnessing

The initial plan was to load up the dll responsible for unlocking the database and extract the functions out to fuzz. Unfortunately for KeePassXC, the processing functions are compiled into the exe itself, so we can’t do that unless we fix relocations first.

The good news is that KeePassXC comes with a command line version, which we can easily modify to make it a harness.

keepassxc-cli database open flow

cli\keepassxc-cli.cpp

int main(int argc, char** argv)
{
    ...

    QCoreApplication app(argc, argv);
    QCoreApplication::setApplicationVersion(KEEPASSXC_VERSION);

    Bootstrap::bootstrap();
    Utils::setDefaultTextStreams();
    Commands::setupCommands(false);

    auto& out = Utils::STDOUT;
    auto& err = Utils::STDERR;

    QStringList arguments;
    for (int i = 0; i < argc; ++i) {
        arguments << QString(argv[i]);
    }
    QCommandLineParser parser;

    ...

    QString commandName = parser.positionalArguments().at(0);
    if (commandName == "open") {
        return enterInteractiveMode(arguments);
    }

    auto command = Commands::getCommand(commandName);
    if (!command) {
        err << QObject::tr("Invalid command %1.").arg(commandName) << endl;
        err << parser.helpText();
        return EXIT_FAILURE;
    }

    ...

    return exitCode;
}

The cli main function initializes some QT library functions and IO streams. It then calls into enterInteractiveMode if we choose to open a database.

int enterInteractiveMode(const QStringList& arguments)
{
    auto& err = Utils::STDERR;
    // Replace command list with interactive version
    Commands::setupCommands(true);

    Open openCmd;
    QStringList openArgs(arguments);
    openArgs.removeFirst();
    if (openCmd.execute(openArgs) != EXIT_SUCCESS) {
        return EXIT_FAILURE;
    };

    ...

    return EXIT_SUCCESS;
}

This function initializes an Open class, and passes the execute method our arguments.

Open.cpp

int Open::execute(const QStringList& arguments)
{
    currentDatabase.reset(nullptr);
    return this->DatabaseCommand::execute(arguments);
}

Just forwards the arguments to DatabaseCommand::execute.

DatabaseCommand.cpp

int DatabaseCommand::execute(const QStringList& arguments)
{
    QStringList amendedArgs(arguments);
    if (currentDatabase) {
        amendedArgs.insert(1, currentDatabase->filePath());
    }
    QSharedPointer<QCommandLineParser> parser = getCommandLineParser(amendedArgs);

    if (parser.isNull()) {
        return EXIT_FAILURE;
    }

    QStringList args = parser->positionalArguments();
    auto db = currentDatabase;
    if (!db) {
        // It would be nice to update currentDatabase here, but the CLI tests frequently
        // re-use Command objects to exercise non-interactive behavior. Updating the current
        // database confuses these tests. Because of this, we leave it up to the interactive
        // mode implementation in the main command loop to update currentDatabase
        // (see keepassxc-cli.cpp).
        db = Utils::unlockDatabase(args.at(0),
  
        ...
}

Check if we already have a database open. If not pass arguments to unlockDatabase.

Utils.cpp

QSharedPointer<Database> unlockDatabase(const QString& databaseFilename,
                                            bool isPasswordProtected,
                                            const QString& keyFilename,
                                            const QString& yubiKeySlot,
                                            bool quiet)
    {
        auto& err = quiet ? DEVNULL : STDERR;
        auto compositeKey = QSharedPointer<CompositeKey>::create();

        QFileInfo dbFileInfo(databaseFilename);

        ...

        if (!dbFileInfo.isReadable()) {
            err << QObject::tr("Failed to open database file %1: not readable").arg(databaseFilename) << endl;
            return {};
        }

        if (isPasswordProtected) {
            err << QObject::tr("Enter password to unlock %1: ").arg(databaseFilename) << flush;
            QString line = Utils::getPassword(quiet);
            auto passwordKey = QSharedPointer<PasswordKey>::create();
            passwordKey->setPassword(line);
            compositeKey->addKey(passwordKey);
        }

        ...

        auto db = QSharedPointer<Database>::create();
        QString error;
        if (db->open(databaseFilename, compositeKey, &error)) {
            return db;
        } else {
            err << error << endl;
            return {};
        }
    }

This prompts us to input a password or a key file, then invokes the core database open function.

At this stage, it’s quite obvious that we can make a fuzz function that simply constructs a call to db->open, skipping all the abstraction.

modified keepassxc-cli.cpp:

__declspec(noinline) int fuzz(const QString& databaseFilename, QSharedPointer<CompositeKey>& compositeKey, QTextStream& err)
{
    auto db = QSharedPointer<Database>::create();
    QString error;
    
    if (db->open(databaseFilename, compositeKey, &error)) {
            return 1;
    } else {
        err << error << endl;
        return 0;
    }
    
    return 0;
}

int main(int argc, char** argv)
{
    if (!Crypto::init()) {
        qWarning("Fatal error while testing the cryptographic functions:\n%s", qPrintable(Crypto::errorString()));
        return EXIT_FAILURE;
    }

    QCoreApplication app(argc, argv);
    QCoreApplication::setApplicationVersion(KEEPASSXC_VERSION);

    Utils::setDefaultTextStreams();
    auto& err = Utils::STDERR;

    auto compositeKey = QSharedPointer<CompositeKey>::create();
    auto passwordKey = QSharedPointer<PasswordKey>::create();
    passwordKey->setPassword("hello");
    compositeKey->addKey(passwordKey);

    int exitCode = fuzz(QString::fromUtf8(argv[1]), compositeKey, err);

    return exitCode;
}

Build with:

1	cmake --build . --config Release

Now we can begin fuzzing.

Fuzzing KeePassXC

Create 2 corpuses with the KeePassXC GUI, one version 4.0 and one version 3.1

Choose the shortest decryption time for both and set password as hello.

Now we should have 2 kdbx files as corpuses. Each of them are 2kb large, which is alright for WinAFL.

Unfortunately, running drrun shows an access violation in QtCore.

00007ff8`82d5f759 8b0d99422700    mov     ecx,dword ptr [Qt5Core!QAbstractDeclarativeData::setWidgetParent+0x580 (00007ff8`82fd39f8)]
00007ff8`82d5f75f 65488b042558000000 mov   rax,qword ptr gs:[58h]
00007ff8`82d5f768 41b808000000    mov     r8d,8
00007ff8`82d5f76e 488b14c8        mov     rdx,qword ptr [rax+rcx*8] ds:00000000`00000080=????????????????

The crash happens when the program tries to access TLS. As per discussion in https://groups.google.com/g/DynamoRIO-Users/c/cPv56eXe3t4 , Dynamorio isn’t tested to support Windows 11.

The issue is also stated by Christopher in his research https://www.signal-labs.com/blog/fuzzing-wechats-wxam-parser#:~:text=I%20see%2C%20this%20DLL%20uses%20CRT%20(also%20thread%2Dlocal%20storage)%20%E2%80%94%20this%20causes%20issues%20with%20DynamoRIO%20(which%20I%20was%20using%20with%20WinAFL). , pointing out that TLS operations mess dynamorio up.

At this point, I switched to Windows 10 VM to give it another try.

Actual Fuzzing

In pre_fuzz_handler
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\qt.conf
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\qtlogging.ini
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In post_fuzz_handler
In pre_fuzz_handler
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In post_fuzz_handler
In pre_fuzz_handler
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In post_fuzz_handler
In pre_fuzz_handler
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In post_fuzz_handler
In pre_fuzz_handler
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In OpenFileW, reading \\?\C:\Users\IEUser\Desktop\keepassxc-2.7.4\build\src\cli\Release\in\corpus1.kdbx
In post_fuzz_handler

This time drrun doesn’t complain.

Our initial testcases also successfully exercise part of the code.

Now begin actual fuzzing.

"C:\Users\IEUser\Desktop\winafl\build64\bin\Release\afl-fuzz.exe" -i in -o out -D C:\Users\IEUser\Desktop\dynamorio\build64\bin64 -t 50000 -- -coverage_module keepassxc-cli.exe -fuzz_iterations 5000 -target_module keepassxc-cli.exe -target_offset 0x14450 -nargs 2 -- keepassxc-cli.exe @@

Fast forward 2000000 days

Conclusion

Looking back at the second fuzzing exercise on KeePassXC, it’s evidently not successful.

For some reason I tried to fuzz a target that performs a decryption routine… which is definitely going to be super slow.

I should be digging deeper into the source code by manual analysis, and set persistent mode on the functions that perform parsing of the DB after decryption.

In particular, the xmlReader.readDatabase method:

KeePass2RandomStream randomStream;
    if (!randomStream.init(SymmetricCipher::Salsa20, m_protectedStreamKey)) {
        raiseError(randomStream.errorString());
        return false;
    }

    Q_ASSERT(xmlDevice);

    KdbxXmlReader xmlReader(KeePass2::FILE_VERSION_3_1);
    xmlReader.readDatabase(xmlDevice, db, &randomStream);

Since my main goal is to practise the motion of setting up fuzzing using different frameworks, I shall be forgiven this time :P

(Lorem ipsum dolor sit homework for the reader blah)

WinAFL is also not the most appropriate tool to use against an open source cross platform code. CodeQL with AFL++ should lead to more promising results in a shorter time.

As for WinAFL itself… I have mixed feelings for the tool.

On one hand it’s pretty easy to use and also has proven results. On the other hand… support is lacking for newer binaries and OS versions. Dynamorio is buggy on Windows 11, and syzygy is also not maintained anymore. Even the original creator released(and maintains) a newer fuzzer that is a superset of WinAFL, called Jackalope(https://github.com/googleprojectzero/Jackalope).

Our exploration with WinAFL will end here, and future posts could be AFL++ reading, Jackalope review or snapshot fuzzing things.