Monday, 21 January 2019

Fuzzing HTTP Server (PDF.js)

Hi Internet

Summary: While fuzzing Mozilla PDF.js a format string vulnerability it was observed that the development server used in PDF.js gets crash when a malformed URI(bad request) is sent.

PS: The patch for the path traversal bug which was found perviously gave rise to this issue.

I have used boofuzz in the case to fuzz PDF.js, boofuzz is a fork of and the successor to the venerable sulley fuzzing framework, for installation you can simply use pip.

pip install boofuzz

Then,
session = Session(
    target=Target(
        connection=SocketConnection("127.0.0.1", 8888, proto='tcp')))
In boofuzz each message starts with an s_initialize()
s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ['GET'])
        s_string("/", name='Request-URI')
        s_string('HTTP/1.1', name='HTTP-Version')
Vulnerable code in PDF.js (webserver.js):
  _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
     // guard against directory traversal attacks,
     // e.g. /../../../../../../../etc/passwd
     // which let you make GET requests for files outside of this.root
     var pathPart = path.normalize(decodeURI(urlParts[1]));
If you see the bold part of the above code the PDF.js did not have any guard for malformed URI sent in various methods.

However, the fuzzer ran for an hour and it was observed that the HTTP server of PDF.js can't handle malformed strings and server gets crash. While fuzzing with boofuzz its better to start Wireshark on 'lo' to see all the fuzzed request which are sent to the server. I found /%s%s%s was used in this case.
curl -v -X GET 127.0.0.1:8888/%s%s%s
The PDF.js server gets crash and below traces are left.
Server running at http://localhost:8888/
[12:16:22] 'server' errored after 1.01 h
[12:16:22] URIError: URI malformed
at decodeURI ()
at WebServer._handler (/Users/Dhiraj/Desktop/pdf.js/test/webserver.js:86:35)
at Server.emit (events.js:188:13)
at Server.EventEmitter.emit (domain.js:459:23)
at parserOnIncoming (_http_server.js:676:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:113:17)
However, the bug was submitted to Mozilla and a patch was deployed for same.

Patch code in PDF.js (webserver.js):
    try {
       // Guard against directory traversal attacks such as
       // `/../../../../../../../etc/passwd`, which let you make GET requests
       // for files outside of `this.root`.
       var pathPart = path.normalize(decodeURI(urlParts[1]));
     } catch (ex) {
       // If the URI cannot be decoded, a `URIError` is thrown. This happens for
       // malformed URIs such as `http://localhost:8888/%s%s` and should be
       // handled as a bad request.
       res.writeHead(400);
       res.end('Bad request', 'utf8');
       return;
     }
     var queryPart = urlParts[3];
     var verbose = this.verbose;
If you are a mozillian and you like my work towards PDF.js, don't hesitate to vouch me :) Hope you like the read.
https://mozillians.org/en-US/u/Dhiraj_Mishra/

Thank you
Share:

1 comment: