For this exercise we will fuzz V8 Google’s JavaScript and WebAssembly engine. The goal is to find a crash/PoC for CVE-2019-5847 in v8 7.5.
For more information about CVE-2019-5847 vulnerability, click me!
--------------------------------------------------------------------------------------------------------CVE-2019-5847 is a vulnerability that may cause an infinite recursion via a crafted file.
A heap-based memory corruption is a type of memory corruption that occurs in the heap data area, and it's usually related to explicit dynamic memory management (allocation/deallocation with malloc() and free() functions).
As a result, a remote attacker can exploit this issue to execute arbitrary code within the context of an application using the affected library.
You can find more information about Heap-based memory corruption vulnerabilities at the following link: https://cwe.mitre.org/data/definitions/122.html
Once you complete this exercise you will know-how:
- How to use Fuzzilli to fuzz Javascript engines
- I suggest you try to solve the exercise by yourself without checking the solution. Try as hard as you can, and only if you get stuck, check out the example solution below.
- If you find a new vulnerability, please submit a security report to the project. If you need help or have any doubt about the process, the GitHub Security Lab can help you with it :)
Are you stuck and looking for help? Do you have suggestions for making this course better or just positive feedback so that we create more similar content?
Do you want to share your fuzing experience with the community?
Join the GitHub Security Lab Slack and head to the #fuzzing channel. Request an invite to the GitHub Security Lab Slack
All the exercises have been tested on Ubuntu 18.04 LTS. I highly recommend you to use the same OS version to be able to follow the guidelines. You can find an Ubuntu 18.04 LTS VMware image here. You can also use VirtualBox instead of VMware.
The username / password for this VM are fuzz / fuzz.
Fuzzilli is a (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript. It's written and maintained by Samuel Groß, [email protected].
You can find more information about Fuzzilli at the official repository
To get your environment fully ready, you may need to install some additional tools (ex. Swift, Git)
Let's start installing the following dependencies:
sudo apt --yes install clang libcurl3 libpython2.7 libpython2.7-dev libcurl4 git
Now, we can download Swift:
cd $HOME
wget https://swift.org/builds/swift-4.2.1-release/ubuntu1804/swift-4.2.1-RELEASE/swift-4.2.1-RELEASE-ubuntu18.04.tar.gz
tar xzvf swift-4.2.1-RELEASE-ubuntu18.04.tar.gz
sudo mv swift-4.2.1-RELEASE-ubuntu18.04 /usr/share/swift
We also need to configure the PATH envvar:
echo "export PATH=/usr/share/swift/usr/bin:$PATH" >> ~/.bashrc
source ~/.bashrc
Time for download and build Fuzzilli:
cd $HOME
wget https://github.com/googleprojectzero/fuzzilli/archive/refs/tags/v0.9.zip
unzip v0.9.zip
cd fuzzilli-0.9/
swift build -c release -Xlinker='-lrt'
V8 use a package of scripts called depot_tools to manage checkouts and code reviews. The depot_tools package includes gclient, gcl, git-cl, repo, and others. We can install it with:
cd $HOME
mkdir depot_tools && cd depot_tools
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
echo "export PATH=`pwd`/depot_tools:$PATH" >> ~/.bashrc
source ~/.bashrc
cd $HOME
mkdir Fuzzing_v8_75 && cd Fuzzing_v8_75
fetch v8
cd v8
git checkout 1ca088652d3aad04caceb648bcffef100bc4abc0
gclient sync
First of all we need to install build dependencies:
./build/install-build-deps.sh
Generate build files using gn:
gn gen out/Release "--args=is_debug=false"
After that, we can compile with the following command line (it may take some time):
ninja -C out/Release
Now, we can check the d8 binary with:
./out/Release/d8 ./test/fuzzer/parser/hello-world
and you should see something like this:
Compile v8 with coverage instrumentation:
cd $HOME/Fuzzing_v8_75/v8
cp ../../fuzzilli-0.9/Targets/V8/v8.patch ./
gn gen out/fuzzbuild --args='is_debug=false dcheck_always_on=true v8_static_library=true v8_enable_slow_dchecks=true v8_enable_v8_checks=true v8_enable_verify_heap=true v8_enable_verify_csa=true v8_enable_verify_predictable=true sanitizer_coverage_flags="trace-pc-guard" target_cpu="x64"'
ninja -C ./out/fuzzbuild
Move to fuzzilli folder:
cd $HOME/fuzzilli-0.9
First of all, we need to disable the creation of core dump files:
sudo sysctl -w 'kernel.core_pattern=|/bin/false'
Now we can run fuzzilli with:
swift run -Xlinker='-lrt' -c release FuzzilliCli --profile=v8 '/home/fuzz/Fuzzing_v8_75/v8/out/fuzzbuild/d8'
For a complete list of options, type:
swift run -Xlinker='-lrt' FuzzilliCli --help
If all went well, you should see something like:
In order to solve this challenge, you need to:
- Download and build the vulnerable version
- Define a custom mutator to target the vulnerable code
- Fuzz with Fuzzilli until you have a few unique crashes
- Triage the crashes to find a PoC for the vulnerability
- Send your PoC (see below)
The rules are as follows:
- Please, don't disclose your solution
- In order to be the winner, you must provide a valid crash/PoC file
- There will be 2 winners in total
- I'll release a new hint every week
- Send your solution by 28 February to [email protected]
- The winners will receive a coupon to spend in the GitHub Shop
- 1º hint:
git checkout 7.5.288.22