{"id":28758893,"url":"https://github.com/lucadibello/tmux-fuzzing","last_synced_at":"2026-01-31T18:32:16.832Z","repository":{"id":293629075,"uuid":"984631760","full_name":"lucadibello/tmux-fuzzing","owner":"lucadibello","description":"Enhanced fuzzing for tmux using OSS-Fuzz. Includes custom `cmd-fuzzer` and `argument-fuzzer` harnesses for improved code coverage and a PoC for `CVE-2020-27347`","archived":false,"fork":false,"pushed_at":"2025-05-16T12:09:53.000Z","size":75305,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-17T04:42:51.306Z","etag":null,"topics":["cve-2020-27347","exploit-development","fuzzing","oss-fuzz","security","software-security","tmux","vulnerability-analysis"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lucadibello.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-16T08:46:17.000Z","updated_at":"2025-05-18T10:45:57.000Z","dependencies_parsed_at":"2025-05-16T10:38:07.890Z","dependency_job_id":null,"html_url":"https://github.com/lucadibello/tmux-fuzzing","commit_stats":null,"previous_names":["lucadibello/tmux-fuzzing"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/lucadibello/tmux-fuzzing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadibello%2Ftmux-fuzzing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadibello%2Ftmux-fuzzing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadibello%2Ftmux-fuzzing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadibello%2Ftmux-fuzzing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lucadibello","download_url":"https://codeload.github.com/lucadibello/tmux-fuzzing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadibello%2Ftmux-fuzzing/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28949395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T18:30:42.805Z","status":"ssl_error","status_checked_at":"2026-01-31T18:30:19.593Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2020-27347","exploit-development","fuzzing","oss-fuzz","security","software-security","tmux","vulnerability-analysis"],"created_at":"2025-06-17T04:40:06.460Z","updated_at":"2026-01-31T18:32:16.814Z","avatar_url":"https://github.com/lucadibello.png","language":"HTML","readme":"# Fuzzing Lab: Enhancing Fuzzing for tmux\n\n\u003e Software Security @ EPFL, Spring 2025\n\n## Abstract\n\nIn this lab, we enhanced the fuzzing efforts for the `tmux` terminal multiplexer within Google's OSS-Fuzz infrastructure. We first established a baseline by evaluating the line coverage of the existing `input-fuzzer` harness, both with and without its provided seed corpus, noting comparable initial coverage. Following this, we identified two significant code regions in `tmux` poorly exercised by the baseline fuzzer. To address these coverage gaps, we developed and evaluated two new targeted fuzzing harnesses, `cmd-fuzzer` and `argument-fuzzer`, demonstrating their ability to improve coverage in these previously under-tested areas. As these fuzzing improvements did not uncover new critical vulnerabilities within the project's timeframe, our crash analysis focused on a known historical vulnerability. We developed a proof-of-concept (PoC) for CVE-2020-27347 (a stack-based buffer overflow), analyzed its root cause, discussed the implemented fix, and assessed its security implications.\n\n## Project Overview and Goals\n\nThis project aimed to apply and enhance fuzzing techniques on the `tmux` open-source terminal multiplexer, utilizing the OSS-Fuzz framework. The project encompassed several key stages:\n\n1. **Baseline Evaluation (Part 1):**\n\n - Understand and evaluate the existing `input-fuzzer` harness for `tmux`.\n - Compare its code coverage performance when run with its default seed corpus versus an empty seed corpus.\n\n2. **Coverage Gap Analysis (Part 2):**\n\n - Analyze coverage reports from Part 1 to identify significant code regions in `tmux` not adequately exercised by the `input-fuzzer`.\n - Focus on argument parsing (`arguments.c`) and command parsing/execution logic (`cmd-parse.c`, `cmd-*.c` modules) as key areas for improvement.\n\n3. **Fuzzer Improvement (Part 3):**\n\n - Develop two new, targeted fuzzing harnesses:\n - `argument-fuzzer`: Specifically designed to test the command-line argument parsing logic in `arguments.c`.\n - `cmd-fuzzer`: Designed to test the command parsing and execution pathways, targeting `cmd-parse.c` and various `cmd-*.c` modules.\n - Evaluate the effectiveness of these new harnesses by measuring their achieved code coverage and comparing it against the baseline.\n\n4. **Crash Analysis (Part 4):**\n - Since no new critical vulnerabilities were discovered by the improved fuzzers within the project's timeframe, a known, pre-existing vulnerability in `tmux` (CVE-2020-27347) was selected for in-depth analysis.\n - This involved developing a Proof of Concept (PoC) to reproduce the crash, analyzing its root cause, understanding the applied fix, and assessing its security implications.\n\n## Repository Structure\n\nThe final submission is organized as follows (within the `submission/` directory):\n\n```text\nsubmission/\n├── README.md # This file\n├── part_1/ # Files for Part 1: Baseline Evaluation\n│ ├── oss-fuzz.diff # Diff for removing seed corpus for input-fuzzer\n│ ├── project.diff # (Likely empty or minor for Part 1)\n│ ├── remove_seed_corpus.patch # The actual patch file used\n│ ├── report/ # HTML Coverage reports for input-fuzzer\n│ │ ├── w_corpus/\n│ │ └── wo_corpus/\n│ ├── run.w_corpus.sh # Script to run input-fuzzer with corpus\n│ └── run.wo_corpus.sh # Script to run input-fuzzer without corpus\n├── part_3/ # Files for Part 3: Fuzzer Improvements\n│ ├── coverage_noimprove/ # Baseline coverage (e.g., from input-fuzzer without corpus)\n│ │ └── ...\n│ ├── improve1/ # Improvement 1: argument-fuzzer\n│ │ ├── coverage_improve1/ # Coverage report for argument-fuzzer\n│ │ ├── oss-fuzz.diff # OSS-Fuzz config changes for argument-fuzzer\n│ │ ├── project.diff # Tmux changes for argument-fuzzer (e.g., new .cc, Makefile.am)\n│ │ └── run.improve1.sh # Script to run argument-fuzzer\n│ └── improve2/ # Improvement 2: cmd-fuzzer\n│ ├── coverage_improve2/ # Coverage report for cmd-fuzzer\n│ ├── oss-fuzz.diff # OSS-Fuzz config changes for cmd-fuzzer\n│ ├── project.diff # Tmux changes for cmd-fuzzer\n│ └── run.improve2.sh # Script to run cmd-fuzzer\n├── part_4/ # Files for Part 4: Crash Analysis (CVE-2020-27347)\n│ ├── environment/ # Docker environment for PoC\n│ │ ├── Dockerfile\n│ │ ├── run_tmux_cve_test.sh # Core PoC test logic\n│ │ ├── test_fixed.sh\n│ │ └── test_vulnerable.sh\n│ └── run.poc.sh # Script to build Docker image and run PoC tests\n└── report.pdf # The comprehensive project report\n```\n\n_(Note: The `scripts/` directory containing `_run_fuzz_core.sh` is a helper and would be part of the root if this README is at the true project root alongside `submission/`)_\n\n## Setup and Usage\n\nAll fuzzing campaigns and the CVE PoC reproduction are designed to be run within Docker environments orchestrated by shell scripts.\n\n## Setup and Usage\n\nAll fuzzing campaigns and the CVE PoC reproduction are designed to be run within Docker environments orchestrated by shell scripts.\n\n**Prerequisites:**\n\n- Docker installed and running on a Unix-like system.\n- `bash` shell and `git` client.\n- SSH keys configured for `git@github.com` if the scripts need to clone `oss-fuzz` (they attempt to clone if `oss-fuzz/` is not found in the project root). Alternatively, you can pre-clone `https://github.com/google/oss-fuzz.git` into the project root.\n\n**General Scripting Architecture:**\nThe project uses a centralized core script, `scripts/_run_fuzz_core.sh` (not included in the `submission/` directory but part of the overall project structure this README assumes). Individual runner scripts located in `submission/part_1/`, `submission/part_3/improve1/`, `submission/part_3/improve2/`, and `submission/part_4/` are responsible for:\n\n1. Setting up the specific test environment by applying run-specific `oss-fuzz.diff` patches to a clean checkout of the `oss-fuzz` repository (expected to be at `../../oss-fuzz` relative to most runner scripts).\n2. Exporting configuration variables (like `PROJECT`, `HARNESS`, `LABEL`, paths to project-specific patches, and output directories).\n3. Invoking the `_run_fuzz_core.sh` script, which then handles:\n - Applying an optional project-level patch (e.g., to add new fuzzer sources to `tmux`).\n - Building the OSS-Fuzz Docker image (if flagged).\n - Building the specified fuzzer(s) with the chosen sanitizer.\n - Executing the fuzzer for the configured duration (typically 4 hours).\n - Generating and exporting corpus and HTML coverage reports to the designated locations within the `submission/` directory structure.\n\n**Running the Scripts:**\nIt's generally recommended to execute the runner scripts from the project's root directory to ensure correct relative path resolution for `oss-fuzz/` and output directories.\n\n**1. Part 1: Baseline Evaluation (`input-fuzzer`)**\nThese scripts evaluate the existing `input-fuzzer` for `tmux`.\n\n```bash\n# From the project root directory:\n./submission/part_1/run.w_corpus.sh # Run input-fuzzer with default seed corpus\n./submission/part_1/run.wo_corpus.sh # Run input-fuzzer without seed corpus\n```\n\n`run.w_corpus.sh` uses the default `tmux` build behavior regarding seeds.\n`run.wo_corpus.sh` applies `submission/part_1/remove_seed_corpus.patch` (via its local `oss-fuzz.diff` which would call out to this patch or integrate its changes) to the `oss-fuzz/projects/tmux/build.sh` to ensure no initial seed corpus is used. Coverage reports are exported to `submission/part_1/report/w_corpus/ and submission/part_1/report/wo_corpus/` and `submission/part_1/report/wo_corpus/` respectively.\n\n**2. Part 3: Fuzzer Improvements (`input-fuzzer`)**\n\n- **Improvement 1 (argument-fuzzer)**: Targets arguments.c.\n\n ```bash\n # From the project root directory:\n ./submission/part_3/improve1/run.improve1.sh\n ```\n\n- **Improvement 2 (cmd-fuzzer)**: Targets cmd-parse.c and command execution.\n\n ```bash\n # From the project root directory:\n ./submission/part_3/improve2/run.improve2.sh\n ```\n\nEach `run.improveX.sh` script applies its local `oss-fuzz.diff` and sets `PROJECT_PATCH_FILE` to its local `project.diff` (which adds the new fuzzer code to tmux and updates `Makefile.am`). Coverage reports are exported to the respective `submission/part_3/improveX/coverage_improveX/` directories. The `submission/part_3/coverage_noimprove/` directory contains baseline coverage from Part 1 for comparison.\n\n## 3. Part 4: CVE-2020-27347 PoC Reproduction\n\n```bash\n# From the project root directory:\n./submission/part_4/run.poc.sh\n```\n\nThis script builds a dedicated Docker image (from `submission/part_4/environment/Dockerfile`) and tests `tmux 3.1b` (vulnerable) against the patched commit `a868bac`.\n\n## Key Findings and Results\n\n(Detailed explanations, figures, and tables can be found in the full report.pdf)\n\n### Part 1 (Baseline - input-fuzzer)\n\n- **With default seed corpus:** 14.00% line coverage (7281/51997 lines), 24.44% function coverage.\n- **Without seed corpus:** 13.94% line coverage (7248/51997 lines), 24.31% function coverage.\n- The impact of the initial seed corpus was minor for the existing `input-fuzzer`.\n- Significant portions of tmux, notably argument parsing (`arguments.c`), command parsing/execution (`cmd-parse.c`, `cmd-*.c`), and client/server logic (`client.c`, `server.c`), were largely unexercised (e.g., `arguments.c` at ~5.8% line coverage).\n\n### Part 3 (Fuzzer Improvements)\n\n- **`argument-fuzzer` (targeting `arguments.c`):** Achieved 66.62% line coverage for `arguments.c`, a substantial increase from the ~5.8% baseline.\n- **`cmd-fuzzer` (targeting command parsing \u0026 execution):** Increased line coverage for `cmd-parse.c` to 42.58% (from ~27%) and function coverage to 77.78%.\n- `arguments.c` coverage also rose to 45.54% through this fuzzer.\n- `cmd.c` reached 39.14% line coverage.\n- Achieved new or significantly improved coverage in various `cmd-*.c` modules (e.g., `cmd-bind-key.c`, `cmd-set-options.c` to 50% function coverage) and key-handling routines (`key-string.c` to 30% line coverage, `key-bindings.c` to 6.05% line coverage).\n\n### Part 4 (CVE-2020-27347 Analysis)\n\n- Successfully reproduced CVE-2020-27347 (stack buffer overflow in SGR escape sequence parsing) on tmux 3.1b (commit `6a33a12`) using the payload `\\033[::::::7::1:2:3::5:6:7:m`.\n- Confirmed that tmux commit `a868bac` (which includes the fix and leads to version 3.1c) was not susceptible to the crash.\n- The vulnerability, exploitable by writing a crafted sequence to a pane TTY, leads to Denial of Service and has potential for Arbitrary Code Execution. It's rated high severity (CVSS 7.8).\n\n## Challenges Faced\n\n- Ensuring correct tmux startup in a scripted Docker environment, particularly avoiding \"not a terminal\" errors, required using detached sessions for the CVE PoC.\n- Managing the git state (ensuring full clones, clean resets before applying patches) across different test scenarios was critical for reproducible builds of specific tmux versions.\n- Developing effective new fuzzing harnesses (`argument-fuzzer`, `cmd-fuzzer`) necessitated a good understanding of tmux's internal argument and command processing logic to target specific unexercised code paths.\n\n## Future Work\n\n- Further enhance the `cmd-fuzzer` to cover a wider array of `cmd-*.c` modules, especially those dealing with complex state interactions like window, layout, or pane manipulations.\n- Investigate fuzzing strategies for the tmux client-server communication protocol, potentially involving more complex environment mocking.\n- Explore the use of structure-aware fuzzing for the tmux command language, possibly by leveraging grammar definitions from `cmd-parse.y` to generate more syntactically valid and complex command sequences.\n\n## Useful Links\n\n- [tmux Project](https://github.com/tmux/tmux)\n- [OSS-Fuzz](https://github.com/google/oss-fuzz)\n- [CVE-2020-27347](https://www.cve.org/CVERecord?id=CVE-2020-27347)\n- [Project Report PDF](./submission/report.pdf) (Path relative to project root)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flucadibello%2Ftmux-fuzzing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flucadibello%2Ftmux-fuzzing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flucadibello%2Ftmux-fuzzing/lists"}