Fusil the fuzzer version 0.9 released

[Victor Stinner <victor.stinner () haypocalc com>]

Fusil is not a fuzzer but a toolbox to build your own fuzzer. Tools target 
command line program running on Linux, but it works also on UNIX-like and BSD 
system. There are also some tools to interactif with a X11 (graphical) 
application. It's easy to add your own tools to extend Fusil.

Website: http://fusil.hachoir.org/

Fusil is written in Python, based on a multi-agents system and distributed 
under GNU GPL license.


Tools
=====

Actions:

 * Create a command line, environment variables and a process: create
   temporary working directory, limit memory and kill the process after 
   the timeout
 * Mangle a file: invert some bits, replace bytes, inject byte strings
   (eg. \xFF\xFF), increment a byte, insert or remove bytes, ...
   AutoMangle guess the best parameters to crash the program but restart 
   with random operations at each session, whereas IncrMangle injects more
   and more errors (keep operations)
 * NetworkClient, NetworkServer, (...): tools for network communcation
 * HttpServer: an simple HTTP server

Probes:

 * Watch a process stdout or any log file (eg. /var/log/syslog): search
   common patterns like "segfault" or "assert", count number of lines, ...
 * Watch process death: exit with an exitcode, killed by a signal, or killed
   because of the timeout?
 * Watch CPU usage of a process
 * Get process execution time
 * AttachProcess: watch a running process (eg. ClamAV daemon)


Scenario
========

Fusil is no hardcoded, you describe you own scenario. Something like:
 * mangle a file
 * create a process
 * watch a process
 * watch process stdout

You can start multiple processes, watch multiple processes, chain actions as 
you want. Another scenario example:
 * start a web server
 * generate N mangled images (or any HTML embedded file: video, flash, ...)
 * start Firefox with the right URL
 * watch Firefox process
 * send F5 key to switch to the new session


Common features
===============

Fusil has features common to all fuzzers:
 * create a directory to store all generated files (by the fuzzer but 
   also maybe by the target process)
 * keep the directory on success, otherwise remove all generated 
   files and directories 
 * log all actions into a main log file but all session actions in a 
   dedicated log file (eg. run-0001/project.log and
   run-0001/session-0001/session.log)
 * loop until we get N crash (default: N=5): sleep between two sessions
   until system load is above a limit (default: 50%) to avoid false positive
   (eg. timeout of the target because of a cronjob)
 * limit process memory to get malloc(-1) error without using all memory


Projects
========

Existing Fusil "projects":

 * Real world project:
   - PHP / Python: generate random function call (and also method
     for Python)
   - ClamAV: already found cool bugs (eat all CPU and memory of the daemon)
   - gstreamer / mplayer: have fun ;-)
   - identify: ImageMagick identify or convert commands
   - firefox: test firefx image parser, flash plugin, etc.
   - poppler: PDF library of Kpdf and Gnome
   - libexif: JPEG EXIF

 * Old projects (simple examples)
   - gettext: demo to prove that gettext is unsafe
   - libc_printf: printf() of your C library (yes, it crashs)
   - xterm: doesn't like long PATH environment variable
   - vim: old version of vim crashs with

Other projects are available but don't work: linux_syscall, libc_env, mysql, 
linux_proc, linux_ioctl, rpm, ...

Incomplete list of crashed programs, CVE, and bug reports:
   http://fusil.hachoir.org/trac/wiki/CrashList

I just tested CPython: i quickly found 14 bugs ;-)

-- 
Victor Stinner aka haypo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/