Estimated reading time: 4 minutes
Table of contents
Executive Summary
The Source Code contains a proof of concept implementation of an image fuzzer designed for XNU environments. It aims to demonstrate basic fuzzing techniques on image data to uncover potential vulnerabilities in image processing routines. The Objective-C Code implements 12 CGCreateBitmap & CGColorSpace Functions working with Raw Data and String Injection that are User Controllable Inputs.
whoami
David Hoyt is an independent, authoritative source for Best Practices & Transparency of Telecommunications, Legal & Regulatory Matters since 1994.
Start
Big Picture
- My Code
- This
- Proof of Concept
- Native Rendering of Fuzzed Images
- Command Line Version
- Runs on x86_64 or arm
- Fuzzed Image File Collection
- https://github.com/xsscx/macos-research/tree/main/code/iOSOnMac
- Runs on x86_64 or arm
- Fuzz with Jackalope
- Run the Fuzzed Images through multiple Fuzzers
- https://github.com/xsscx/macos-research/tree/main/code/imageio
Render
Seeds
Background
I had been using Jackalope for Fuzzing and to confirm that it could find easy to identify Bugs. Looking deeper at Jackalope, I found minor UAF, OOB, NPTR that impacted some results given the Seeding.
I wrote this Objective-C Code for A/B Testing along side Jackalope using the Command Line version of this Code. Stitch together your Fuzzed Images into a Malicious Movie and then Fuzz with the VideoToolbox Interposing Code.
The Command Line version is preferred for Fuzzing and Collecting the post-processed Images. The example Code provides the ability to change a few Numbers in a Function() and further Modify the Program Behavior, perhaps you will get a good Crash.
#pragma mark - Fuzzing Functions
/**
Applies a color shift fuzzing method to the specified pixel data.
This method randomly increases or decreases the RGB values of a pixel to simulate color distortions that might reveal handling errors in image processing.
@param data The raw image data.
@param index The index of the pixel to be modified.
*/
void applyColorShift(unsigned char *data, size_t index) {
for (int i = 0; i < 3; i++) { // Affecting RGB channels
int shift = (arc4random_uniform(2) == 0) ? -15 : 15; // Randomly decide to increase or decrease color value
int newValue = data[index + i] + shift;
data[index + i] = (unsigned char)fmax(0, fmin(255, newValue)); // Ensure the new value is within the byte range
}
}
/**
Randomly scrambles the RGB values of a pixel.
This method swaps the values of two RGB channels at the given pixel index, which can help in uncovering issues related to incorrect channel processing or assumptions in color models.
@param data The raw image data.
@param index The index of the pixel where the RGB channels will be scrambled.
*/
void applyPixelScramble(unsigned char *data, size_t index) {
unsigned char temp;
int swapIndex = arc4random_uniform(3); // Choose a random channel to swap with another
temp = data[index + swapIndex];
data[index + swapIndex] = data[index + (swapIndex + 1) % 3];
data[index + (swapIndex + 1) % 3] = temp;
}Purpose of Using Fuzzed Images in Fuzzing
Use your fuzzed files for analyzing & rendering to identify potential vulnerabilities in software that processes or displays PNG images.
Embedding fault mechanisms into a generic image and further processing it through fuzzing enhances the effectiveness of testing by uncovering edge cases and potential vulnerabilities in image processing software.
The presence of unexpected or non-standard chunks could potentially be exploited to execute arbitrary code, cause denial-of-service (DoS) conditions, or lead to information disclosure if the software does not properly handle such anomalies.
Workflow
Prepare the Image:
- Start with a generic image.
- Apply initial fuzzing to introduce random mutations.
- Embed specific fault mechanisms to target vulnerabilities.
Submit to Fuzzing Harness:
- Load the processed image into a fuzzing framework like Jackalope or AFL.
- Configure the tool to use the image as a seed for further automated fuzzing.
Monitor and Analyze:
- Monitor for crashes, hangs, and other signs of vulnerabilities.
- Collect and analyze the results to identify and understand the bugs found.
Crash Analysis
For Crash Analysis, consider Reading https://srd.cx/xnu-crash-analysis/ and for arm64e Pointer Authentication Crashes, consider Reading https://srd.cx/possible-pointer-authentication-failure-data-abort/ for a quick snapshot of what may be Signal, or Noise.