oss-fuzz/infra/experimental/SystemSan
jonathanmetzman a836616877
Delete Symlink Detection from syssan (#10479)
I don't have time to work on it, and deploying it seriously breaks
libfuzzer on CF.
2023-06-07 21:23:57 -04:00
..
PoEs
Makefile
README.md
SystemSan.cpp
inspect_dns.cpp
inspect_dns.h
inspect_utils.cpp
inspect_utils.h
target.cpp
target_dns.cpp
target_file.cpp
vuln.dict

README.md

System Sanitizers

We use ptrace to instrument system calls made by the target program to detect various vulnerabilities.

Command injection

This detector currently works by

  • Checking if execve is called with /tmp/tripwire (which comes from our dictionary).
  • Checking if execve is invoking a shell with invalid syntax. This is likely caused by our input.

Arbitrary file open

TODO: documentation.

Proof of concept

Cleanup

Note this will delete /tmp/tripwire if it exists.

make clean

Run test

Note this will overwrite /tmp/tripwire if it exists.

make test

Look for one of the following lines:

===BUG DETECTED: Shell injection===

which indicates the detection of executing the planted /tmp/tripwire.

===BUG DETECTED: Shell corruption===

which indicates the detection of executing a syntactic erroneous command.

Command injection PoC in Python with pytorch-lightning

With SystemSan, Artheris can detect a shell injection bug in version v1.5.10 of pytorch-lightning.

make pytorch-lightning-1.5.10

Command injection PoC in JavaScript with shell-quote

With SystemSan, Jsfuzz can detect a shell corrpution bug in the latest version (v1.7.3) of shell-quote without any seed.

make node-shell-quote-v1.7.3

This is based on a shell injection exploit report of version v1.7.2 of shell-quote. SystemSan can also discover the same shell injection bug with a corpus file containing:

`:`/tmp/tripwire``:`

Trophies