Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/megamansec/privoxy

A heavily edited version of Privoxy intended for fuzzing.
https://github.com/megamansec/privoxy

Last synced: about 1 year ago
JSON representation

A heavily edited version of Privoxy intended for fuzzing.

Awesome Lists containing this project

README 

          
# Privoxy Fuzzer



During testing of different forwarding-HTTP-proxies at [Opera Software](https://github.com/operasoftware), we heavily edited [Privoxy](https://www.privoxy.org) so that it could be fuzzed with nearly complete coverage for a single input.



While normally it is preferable for a fuzzer to concentrate on specific sub-functionality such as response handling or input handling, we decided that Privoxy's codebase is small enough (and robust enough!) that it could handle an input which acts as both a client's request and a client's response.



By implementing a 'magic-byte' \[\xF8 AKA ø\], a single input is able to act as an HTTP request and an HTTP response all in the same file, and thus a more realistic codeflow from Privoxy is obtained. In practise, this meant that an unlimited request<-->server file could be created by continuously separating each segment with the ø character.

For example, a file could contain _GET / HTTP/1.1\r\nHost: host\r\n\r\nøHTTP/1.1 200 OK\r\n\r\n_ which would successfully be parsed as both a request and a response by Privoxy.

No hard limit was set, and interestingly, [afl++](https://github.com/AFLplusplus/AFLplusplus) was able to create a file which correctly acted as hundreds of requests and responses. Amazingly, corpus [1228](https://github.com/MegaManSec/privoxy-fuzz/blob/master/corpus/1228) has a total of 323 completely valid HTTP requests and responses generated by the fuzzer.



There were various caveats that needed to be resolved while implementing this system, namely due to how I/O streams work. More information about the actions we took can be found here: [blog](https://blogs.opera.com/security/2021/05/fuzzing-http-proxies-privoxy-part-1/).



We implemented [leak-checking](https://github.com/AFLplusplus/AFLplusplus/pull/855) into AFL++, which we then used to identify X vulnerabilities which could cause memory exhaustion via Privoxy.



The diffs between privoxy-3.0.31-stable and our fuzzing code can be found [here](https://github.com/MegaManSec/privoxy-fuzz/commits/master): there are a couple of patches (clearly labelled) to check out.

We also include some [corpuses](/corpus/). 



Finally, we include a [coverage report](https://megamansec.github.io/privoxy-fuzz/) which outlines exactly which lines of code and functions that the fuzzer (in this case, AFL++) was able to uncover.

Nearly every function which was not covered is completely unable to be fuzzed with a single input of 'request->response', and in some cases manual fuzzing of these functions were done (such as config file parsing).



For any adventurous readers out there, I would recommend taking a look at Privoxy's [SSL\[1\]](https://megamansec.github.io/privoxy-fuzz/fuzz/ssl_common.c.gcov.html) [handling\[2\]](https://megamansec.github.io/privoxy-fuzz/fuzz/ssl.c.gcov.html) and [network\[1\]](https://megamansec.github.io/privoxy-fuzz/fuzz/jbsockets.c.gcov.html) [handling\[2\]](https://megamansec.github.io/privoxy-fuzz/fuzz/gateway.c.gcov.html), as we did not take an in-depth look at these sections and there may be vulnerabilities to be found.



In total, 12 bugs were found:

1) CVE-2021-20217  --- DoS

2) CVE-2021-20272  --- DoS

3) CVE-2021-20275  --- Buffer Overflow

4) CVE-2021-20274 --- Null Pointer Dereferencing 

5) CVE-2021-20273  --- DoS

6) CVE-2021-20276 --- Buffer Overflow

7) [647353d3e6621b32696a08d66656b7c6bb8fb0a3](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=647353d3e6621b32696a08d66656b7c6bb8fb0a3) --- Undefined memcpy behavior

8) [9788f97d68076acffc11da82a9c65f06cd661b15](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=9788f97d68076acffc11da82a9c65f06cd661b15)  --- Undefined left shift

9) [f018685d622080d08641471be338e5e2b698d8df](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f018685d622080d08641471be338e5e2b698d8df) --- Uninitialized byte reading

10) [c78a3a27b574d049a155542724134f01648d7aac](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c78a3a27b574d049a155542724134f01648d7aac) --- DoS & Buffer Overflow & Null Pointer Dereferencing (only in fuzzing mode) 

10) [88d5b57a4a639f88c937e7b22f6fe976b4380ce9](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=88d5b57a4a639f88c937e7b22f6fe976b4380ce9) -- DoS (only in fuzzing mode)

11) [bc7cc845a82203f50e3fc5c1bd0dca01571749b9](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bc7cc845a82203f50e3fc5c1bd0dca01571749b9) --- Incorrect config loading



A second round of fuzzing occured, looking for memory leaks. 3 issues were found:

1) CVE-2021-44540

2) CVE-2021-44541

3) CVE-2021-44542



Most of these bugs were exploitable by remote webpages, and more information about them can be found on our our [post #1](https://blogs.opera.com/security/2021/05/fuzzing-http-proxies-privoxy-part-1/) and [post #2](https://blogs.opera.com/security/2022/01/fuzzing-http-proxies-privoxy-part-3/).



A big thank you to ***[Fabian Keil](https://www.fabiankeil.de/)*** for his incredibly quick patches and continued communication during this testing.