what is fuzzing

 <tihmstar> well basicall fuzzing is inputting maltious requests to a ?"process"? ?"parser"?

10:02 <tihmstar> the fuzzing we do is modifying a mov file

10:02 <tihmstar> then we try to open the mov file in mobileSafari hoping it will crash

10:02 <JBUni> because of the JIT compiler, right?

10:03 <tihmstar> by "fuzzing a file" we (at least i) mean modifying a file, basically randomly changing some bits

10:03 <tihmstar> *bytes

10:04 <JBUni> right, i get this

10:04 <tihmstar> we have a tool called zzuf which modifys the file for you, but since obvously there is a very low change to make MSafari crash by modifying some bytes we need to do it again and again

10:04 <tihmstar> therefore smart people around here (me included :P ) createt scripts/tools to automate this process

10:05 <tihmstar> all tools are a bit different

10:05 <JBUni>  i have a question about that, actually

10:05 <tihmstar> ok just ask

10:06 <JBUni> is it possible to insert syscalls in the form of hex, and have the kernel read those and redirect to a different part of memory, etc?

10:06 <JBUni> instead of just random bytes

10:06 <tihmstar> to the mov parser?

10:06 <JBUni> yeah

10:06 <tihmstar> well that's more of a exploit

10:07 <tihmstar> first you need to know if there is a bug and how to trigger it

10:07 <JBUni> ah, and to do that, we need to find out where the parser breaks, right?

10:07 <JBUni> okay

10:07 <JBUni> gotcha

10:07 <tihmstar> then you can start looking at the bug hoping you can let it do something more like just crasjing the process, like inserting malcious code

10:07  → sock__ (was sock__-) joined  ⇐ sock__ quit  

10:08 <JBUni> hmmm

10:08 <tihmstar> looking at fuzzycactus for example: you give it a mov file and it automatically does following things in a loop (until the device crashes): creates a fuzzed file with zzuf, opens that file in mobilesafari, waits some time, kills safari and the loop starts from beginning obviuosly the new fuzzed file is different than the one before

10:09 <JBUni> but with a program that runs randomly like this, you're unable to keep proper track of which bugs happened

10:09 <JBUni> isn't it better to manually fuzz files?

10:09 <tihmstar> no ...

10:10 <JBUni> hmm... ok..

10:10 <tihmstar> fuzzycactus also looks for crashes and copies them into a dir

10:10 <JBUni> so we are only interested in crash logs?

10:10 <tihmstar> no ...

10:10 — JBUni facepalms

10:10 <JBUni> ok, i'll be quite, please go on

10:11 <JBUni> quiet*\

10:11 <tihmstar> it also pairs the crash to the mov file caused the crash and to the parameters were sent to zzuf to be able to recreate the file (which you actually don't need since it also copies you the fuzzed file to the dir)

10:11 <tihmstar> if you have a really good crash we are interested in your fuzzed mov file AND your original file

10:12 <tihmstar> in this case send both files and the crashlog to crakun (i think his mail was crakun@m0bdev.com but im not quite sure)

10:12 <JBUni> yeah, i know his email

10:12 <tihmstar> any questions?