Skip to content

Latest commit

 

History

History
148 lines (113 loc) · 3.2 KB

README.md

File metadata and controls

148 lines (113 loc) · 3.2 KB

Finding-exploits-in-HDF5

The Hierarchical Data Format version 5 (HDF5), is an open source file format for large data used in scientific fields

Download HDF5 version 1.14.0

https://portal.hdfgroup.org/display/support/HDF5+1.14.0

Unpack the HDF5 file

Download build essentail to get GCC compiler

$ sudo apt install build-essential

Install AFL to get AFL-Clang-fast and AFL-CLANG-fast++ compilers

apt-get install afl

cd into the HDF5 directory and set up the compilers and build

export CC=/usr/bin/afl-clang-fast
export CXX=/usr/bin/afl-clang-fast++
cd ~/HDF5+1.14.0/
./configure --disable-shared --enable-static-exec && make

In the HDF5+1.14.0 directory, create an in file for the seed, and out file for the output and a file for the corpus

cd ~/HDF5+1.14.0/
mkdir in
mkdir corpus
mkdir out

Now we prepare the seeds for fuzzing by defining the corpus and the in file with the plain_model.h5 file found in the download which is written in the same format as the HDF5 file

Download the poc into your corpus and in file for the seeding

cp ../plain_model.h5 ../corpus
cp ../plain_model.h5 ../in

Set up enviromental variables for the fuzzing

TARGET=~/HDF5+1.14.0/tools/src/h5diff/h5diff

BASE_MODEL=~/HDF5+1.14.0/in/plain_model.h5

IN_DIR=~/HDF5+1.14.0/in

OUT_DIR=~/HDF5+1.14.0/out

Now run Afl Fuzz.

afl-fuzz -i $IN_DIR -o $OUT_DIR -M fuzz00 $TARGET $BASE_MODEL @@

Wait for 1 minute or 2 to collect crashes and then navigate to the directory with the crashes

~/HDF5+1.14.0/fuzz00/out/crashes

copy a crash and then run it against the HDF5 application the same way you fuzzed

~/hdf5-1.14.0/tools/src/h5diff/h5diff ~/hdf5-1.14.0/in/plain_model.h5 ~/hdf5-1.14.0/out/fuzz00/crashes/id:000007,sig:11,src:000000,op:flip1,pos:1088

you should get a segmentation error and to see where it breaks in the actual coding we need to decompile the code with gdb after installing it

apt-get install gdb

gdb -ex=r --args ~/hdf5-1.14.0/tools/src/h5diff/h5diff  ~/hdf5-1.14.0/in/plain_model.h5 ~/hdf5-1.14.0/out/fuzz00/crashes/id:000007,sig:11,src:000000,op:flip1,pos:1088

After running the decompiler , enter bt for backtrace

You should be able to see where the application crashed, the line and function

Next you want to recompile with default gcc and re run the application with the bug to ensure that the system still crashes and also keep the build the same

unset CC
unset CXX
cd ~/hdf5-1.14.0/
./configure --disable-shared --enable-static-exec && make

Re run the program with the bug

~/hdf5-1.14.0/tools/src/h5diff/h5diff ~/hdf5-1.14.0/in/plain_model.h5 ~/hdf5-1.14.0/out/fuzz00/crashes/id:000007,sig:11,src:000000,op:flip1,pos:1088

you should receive a segementation error which is the same error when compiled with afl-clang

You have succesffuly found a bug in HDF5 using afl-fuzz and are ready to file your first report