Skip to content

Reproduce CVEs from ForAllSecure Vulnerabilities Lab

License

Notifications You must be signed in to change notification settings

sung3r/VulnerabilitiesLab

 
 

Repository files navigation

ForAllSecure Vulnerability Labs

We open source our vulnerabilities after our responsible disclosure period has terminated. You will find:

  • A reproducible environment for building the vulnerable code inside docker.
  • Proof of concept artifacts that show how to trigger the discovered vulnerability.
  • (Optional) If you are a ForAllSecure Mayhem subscriber, you can run all of these locally.

We will be adding to this as find more bugs! Currently we have:

Please report any issues on the GitHub issue tracker. This is not an official ForAllSecure product.

Running from Dockerhub

All vulnerabilities are in pare-built images on our ForAllSecure Dockerhub account. The image name is the same as the directory name, prefixed with "forallsecure". For example, to run openssl-cve-2014-0160:

docker run forallsecure/openssl-cve-2014-0160

Mayhem Subscribers

Mayhem subscribers can run all examples within their Mayhem instance. The mayhemit.sh utility script helps with migration.

If you have access to dockerhub.com from your network:

./mayhemit.sh run

If you do not have access to dockerhub.com from your network, you will need to migrate the docker images to your local Mayhem docker repository, and rewrite the Mayhemfile to point to that registry. You can do this by running:

To start Mayhem fuzzing, you can use mayhem run, or use this script as follows:

mayhem run .

Building Locally

You can build and run the image locally. For example, if you are a researcher you can build the docker image to better understand the vulnerability.

To build:

./mayhemit.sh --build <directory>  # A single CVE
./mayhemit.sh --build --all        # Every CVE in this repository

Two notes:

  • You may need Mayhem to fuzz some targets. Mayhem supports binary-only fuzzing, network inputs (TCP & UDP), and many other features. Some targets, however, are libfuzzer or AFL. These you can fuzz yourself with the standard AFL or libfuzzer tool.

  • A single docker image includes multiple CVEs when they are all based on the same source code build.

If you are wondering what Mayhem runs, look in <dir>/mayhem/<name>/Mayhemfile. A Mayhemfile is a yaml file, and Mayhem fuzzing executes the cmd as given.

You always can run the vulnerable program/target locally. Run the docker image, and look at the associated cmd. E.g., for heartbleed, do:

host$ docker run -ti openssl-cve-2014-0160 bash
docker$ /build/handshake-fuzzer

Migrating to a closed network or your own Mayhem docker registry

These directions also apply to any Mayhem subscriber who does not wish to run the images from dockerhub (e.g., a closed network).

Migration steps:

  1. On a host with access to dockerhub, run:

    # Build all the images, rewriting the tag with your registry name.
    ./mayhemit.sh --all --save

    This will build all images, and save the docker images as tgz files.

  2. Tar up this entire directory with the previously saved docker images from the previous step. For example:

    cd .. && tar zcf vulnlabs.tgz ./vulnlabs
  3. Copy over the resulting tar file (e.g., vulnlabs.tgz) to your a host on the closed network. You must have docker installed on this machine as well, but no internet access is required.

  4. Untar the tar file on the closed network host:

    tar zxf vulnlabs.tgz
  5. Rewrite all the Mayhemfile files to point to your local docker registry, load up the images (the image is tagged with baseimage from the Mayhemfile), and push to your registry. It is important that you give the --rewrite flag first, as --load uses the registry baseimage directive in the Mayhemfile to determine the proper place to load the image:

    ./mayhemit.sh --all --rewrite \"your-registry:your-port/openssl-cve-2014-0160\" --load

    Replace openssl-cve-2014-0160 with the folder of the project you are analyzing.

  6. Test out a run, e.g.,:

    ./mayhemit.sh --run ./openssl-cve-2014-0160

About

Reproduce CVEs from ForAllSecure Vulnerabilities Lab

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 40.6%
  • C++ 39.4%
  • Makefile 6.1%
  • Shell 3.9%
  • Python 2.4%
  • MATLAB 2.0%
  • Other 5.6%