personnumber3377

Ideas

This is a compilation of some of my ideas, which I could do sometime.

• Basic interpreter in python (WIP)
• Write a time based fuzzer in python, which tries to find inputs, which timeout. (This could be useful for fuzzing different kinds of python applications for DOS vulns, like django etc). (Done!)
• HTTP request fuzzer (stateful with grammar), for example make a tool which could be used to find this bug:
• Fuzz apache httpd with libfuzzer (use the oss-fuzz stuff to fuzz instead of doing something janky). (This is under progress.)
• Try ruzzy (https://blog.trailofbits.com/2024/03/29/introducing-ruzzy-a-coverage-guided-ruby-fuzzer/) with the custom mutator which I made????
• Make a program which takes a C-code struct and then outputs a python program which reads said struct. (Probably exists already) (this is for the source engine mdl decompilation thing).
• Optimize my own graphics library.
• Try to make a perl exiftool fuzzer, potentially try to find interesting bugs in exiftool like DOS style bugs, because those are eligible for a big gitlab bounty.
• Try to fuzz nokogiri for DOS style bugs, because those too are eligible for gitlab bounty.
• Fuzz python markdown module.
• Fuzz python tomli module.
• Fuzz librsvg with my new custom mutator.
• Make an autodictionary tool, which creates a fuzzing dictionary out of the source code without even having to look at the code ourselves. I think clang already has this, but I think this should be used on other programming languages as well.
• Make a custom mutator for CLVM crypto virtual machine.
• Fuzz gitaly with golang fuzzer. (This is a part of the gitlab bug bounty.)
• Try to find some vulnerabilities in third party libraries used by django, because maybe you can get a bounty that way.
• Try to run my redos thing against python source code.
• Add a way to get the http response content in the python requests library (just as in burp suite for example). Also maybe do this for the requests too?? (You can get the raw request text before sending.)
• Make a custom mutator for APDU for rsk-powhsm stuff.

Some interesting looking stuff..

# This is taken from https://libc-alpha.sourceware.narkive.com/1BhjzIpn/is-there-a-fuzzer-for-libc

Sure, one class of functions that aren't too hard to fuzz is functions
which take only integer and pointer-to-string arguments with no
constraints on them. However it still may be hard to hit the
meaningful cases. I think fuzzing gethostbyname would be pretty slow
since you'd end up waiting for the dns request to fail for nearly
every random string you generated.

Rich
Konstantin Serebryany10 years ago
PermalinkQuick update: I found regfuzz, a fuzzer for regular expressions.
https://code.google.com/p/regfuzz/
A short run revealed a least 3 somewhat scary situations in regcomp:
infinite loop, quick memory exhaustion and a memory leak:
I've submitted two bugs so far; if they are considered interesting and
get fixed I can file more :)
https://sourceware.org/bugzilla/show_bug.cgi?id=17069
https://sourceware.org/bugzilla/show_bug.cgi?id=17070

I also wrote a naive fuzzer for wildcards and it found a buffer
overflow in fnmatch:
https://sourceware.org/bugzilla/show_bug.cgi?id=17062 (already fixed).

https://sourceware.org/glibc/wiki/FuzzingLibc

Also maybe say about the thing about the regex.match(string, position) method which is undocumented.