Metafuzzing

Thomas Ptacek | April 19th, 2006 | Filed Under: Bitching About Protocols, Development, Matasano

1 INT. COFFEE SHOP - MORNING

A normal Denny’s, Spires-like coffee shop in New York, with THOMAS PTACEK, DAVE GOLDSMITH, JEREMY RAUCH, DINO DAI ZOVI, and RUSSELL HOUSLEY. Dino Dai Zovi has a slight working-class English accent and, like his fellow countryman, smokes cigarettes like they’re going out of style. Russell is the primary author of RFC2459. Dave doesn’t eat meat. Their dialogue is to be said in a rapid-pace, “HIS GIRL FRIDAY” fashion.

JEREMY RAUCH

No, forget it, it’s too risky. I’m through doin’ that shit.

THOMAS PTACEK

You always say that. But we’re going to need to test TLS negotiation to finish an assessment of a STARTTLS-capable mail server.

DAVE GOLDSMITH

What’s so hard about that?

DINO DAI ZOVI

TLS means X.509 certificates. DER encoded.

THOMAS PTACEK

Have you read the fucking spec for this stuff? What the hell is the difference between an IMPLICIT and an EXPLICIT tag?

RUSSELL HOUSLEY

The sequence TBSCertificate contains information associated with the subject of the certificate and the CA who issued it.

DAVE GOLDSMITH

“TBSCertificate” ain’t no country I know! They speak English there?

RUSSELL HOUSLEY

Every TBSCertificate contains the names of the subject and issuer, a public key associated with the subject, a validity period, a version number, and a serial number; some may contain optional unique identifier fields.

DAVE GOLDMSMITH

Say “TBSCertificate” again! C’mon, say it. I dare ya. I double dare ya motherfucker, say “TBSCertificate” one more goddamn time.

RUSSELL HOUSLEY

A TBSCertificate may also include extensions.

Dave shoots Russell Housley

THOMAS PTACEK

I still don’t have an answer to my question. What the fuck does “EXPLICIT” and “IMPLICIT” tagging mean? In a second I’m going to start writing shell scripts to figure this out.

JEREMY RAUCH

When you go on about shell scripts, you know what you sound like?

THOMAS PTACEK

I sound like a sensible fucking man, is what I sound like. Unix is a programming language.

JEREMY RAUCH

You sound like a duck. Quack quack quack quack quack quack.

DAVE GOLDSMITH

DOS batch files are a programming language too.

DINO DAI ZOVI

I had a dream last night. I was being chased by one of your shell script fuzzers.

JEREMY RAUCH

“This Old Vulnerability: SUID Shell Scripts!”

THOMAS PTACEK

I have a better idea than writing a shell script.

JEREMY RAUCH

Writing it in Perl?

THOMAS PTACEK

Fuck you. I’m writing a program to write shell scripts to write X.509 certificates for me —

DINO DAI ZOVI

How is that a better idea than writing a shell script?

THOMAS PTACEK

— it’ll read a binary ASN.1 message on standard input and write a shell script representation of that ASN.1 on standard output. You can run the shell script to regenerate the ASN.1 message —

DINO DAI ZOVI

Or regenerate your hard drive if any of the fields contain a backtick.

THOMAS PTACEK

— so input like this:

30 81 9f 30 0d 06 09 2a    86 48 86 f7 0d 01 01 01    \
05 00 03 81 8d 00 30 81    89 02 81 81 00 cf 9a de    \
64 8a da c8 33 20 a9 d7    83 31 19 54 b2 9a 85 a7    \
a1 b7 75 33 b6 a9 ac 84    24 b3 de db 7d 85 2d 96    \
65 e5 3f 72 95 24 9f 28    68 ca 4f db 44 1c 3e 60    \
12 8a dd 26 a5 eb ff 0b    5e d4 88 38 49 2a 6e 5b    \
bf 12 37 47 bd 05 6b bc    db f3 ee e4 11 8e 41 68    \
7c 61 13 d7 42 c8 80 be    36 8f dc 08 8b 4f ac a4    \
e2 76 0c c9 63 6c 49 58    93 ed cc aa dc 25 3b 0a    \
60 3f 8b 54 3a c3 4d 31    e7 94 a4 44 fd 02 03 01    \
00 01

DAVE GOLDSMITH

How is Tom speaking in hexdump?

THOMAS PTACEK

— produces output like this:

( ( bkb asn1 oid 1.2.840.113549.1.1.1;
    echo -n  | bkb asn1 null; ) | bkb asn1 sequence;
    bkb binhex 0030818444fd0203010001 | bkb asn1 bitstring ;
) | bkb asn1 sequence;

DAVE GOLDSMITH

And, uh, why is that useful?

THOMAS PTACEK

It works with any ASN.1 BER/DER message. X.509, SNMP, LDAP. Raw messages directly to fuzzing templates! We are so funded now!

DAVE GOLDSMITH

Fuzzing template?

THOMAS PTACEK

Edit the shell script. “bkb asn1 oid 1.2.840

c 10000 .1
“. Or “bkb asn1 -L 0xFFFFFFFE” to set the length negative.

DINO DAI ZOVI

And for a realistic X.509 message, it only takes 5 minutes to run the script!

THOMAS PTACEK

Meh, 10 seconds or so.

JEREMY RAUCH

So pretty much the opposite of BreakingPoint Systems there.

THOMAS PTACEK

Yeah. But old school.

JEREMY RAUCH

Just like your web design skills.

NARRATOR

Matasano Blackbag 0.8, Now With “unasn”: Shell Script ASN.1 Fuzzing From Raw Messages, When You Care Enough To Send The Very Worst. All this and more, when Thomas Ptacek gets around to copying the tarball up.

10 Comments so far

  • David Maynor

    April 19th, 2006 7:01 am

    Why are you wasting time in security? Its pretty clear you have a great future in developing scripts for hollywood.

  • Adam

    April 19th, 2006 8:18 am

    Dave,

    In answer to your question, Tom’s first job was programming binary load lifters, very similar to your evaporators in most respects. He’s fluent in over 6 million forms of encoding.

  • David Maynor

    April 19th, 2006 9:16 am

    Geez, I wonder if Matasano headquaters is in Tosche Station. I can swing by while picking up some power converters.

  • Chris Walsh

    April 19th, 2006 9:26 am

    I guess Tom’s closest to me, so please drop by and kill me. I read the first line of this post as some sort of weird variable declaration. Then again, it’s all a weird, variable declaration, isn’t it?

  • Thomas Ptacek

    April 19th, 2006 10:14 am

    It’s the screenwriter’s equivalent of a function declaration, Chris, and, for the benefit of the class, yes, I am a huge, huge dork.

  • James Lee

    September 10th, 2006 7:21 pm

    So where’s that tarball? =)

  • dfc

    September 20th, 2006 10:44 pm

    did you ever release 0.8?

  • Matasano Chargen » Code Release: Blackbag 0.9 (Binary Protocol Reversing Unix Thingies)

    October 16th, 2006 11:16 pm

    […] This release includes the source to “unasn”, which reads stdin, attempts to parse it as if it was ASN.1/BER/DER, and spits out a structured shell script that reproduces the same binary. You can read more about unasn here, sort of. […]

  • Matasano Chargen » A Case Against DNSSEC, Count 1: Solves A Non-Problem

    April 3rd, 2007 11:37 am

    […] You don’t know it just to look at it, though. It relies on X.509, which is an ASN.1 protocol. ASN.1 is to the Internet what Pravda is to the GOP. SSL/TLS has its own record layer. Ew! It has a really complicated handshake. Lots of negotiation. And the certificates are hard to configure. And you have to talk to creepy Certificate Authority companies who want you to pay for the privilege. […]

  • bearacid

    April 19th, 2008 8:51 am

    When i was reading your article, it was really awesome because it feeds my knowledge and it was so entertaining, by the way. hope you can make more article just like this. it helps me a lot. thanks and good luck. :)

    • Leave a reply