This can obviously wait until after the current CVE scramble dies down. Below is how Stubman modified ntpd to be afl-friendly. I'm not sure, but I think he modified ntpd to accept UDP "input" from stdin, and created valid initial NTP UDP "packets" as test-case data with which to to "seed" afl.
Until lcamtuf brings the network-aware fork of afl into the main tree, something similar to this approach is probably the most forward-compatible one. The other alternative is to use Birdwell's network-aware fork[1], but it has fallen behind the main afl tree. Taking the stdin approach obviously won't exercise any skipped network-specific code paths. It may take some ingenuity to identify the minimum change that keeps the maximum amount of important code exercised. If those minimal changes are turned into a compile-time option, this would enable adding fuzzing to the rolling test suite, perhaps using some of Susan's resources. Such an option would also increase the number of people who could quickly start fuzzing ntpsec. This latter may be a bug or a feature, depending on your perspective. :) Royce (tychotithonus on IRC) 1. https://github.com/jdbirdwell/afl ---------- Forwarded message ---------- From: Magnus Stubman <mag...@stubman.eu> Date: Mon, Nov 21, 2016 at 11:32 AM Subject: [afl-users] CVE-2016-7434 found with AFL. To: afl-us...@googlegroups.com Hi guys, I found CVE-2016-7434, remote pre-auth DoS in the latest version of ntpd, using afl-fuzz by modifying ntpd to accept input from stdin, and then sending it to itself over UDP. Full writeup: http://dumpco.re/cve-2016-7434/ Relevant sample code of my instrumentation: http://dumpco.re/afl/#43 As can be seen in the asciinema below, I’m fuzzing with above 11k executions pr second on a single core with ASAN. Therefore, I believe that rewriting targets to accept testcases from stdin is superior compared to using forks of afl which send packets over the network and employ timeouts to estimate if the target is done processing the testcase. https://asciinema.org/a/1npswngnfah6m4m0et246e0lr Michael, thanks for sharing your awesome tool. Magnus. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
