Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report a Trophy #286

Open
andreafioraldi opened this issue Mar 31, 2020 · 18 comments
Open

Report a Trophy #286

andreafioraldi opened this issue Mar 31, 2020 · 18 comments
Labels
help wanted Extra attention is needed important a highly important issue

Comments

@andreafioraldi
Copy link
Member

andreafioraldi commented Mar 31, 2020
edited

Comment here if you found bugs using AFL++ and want to be listed in the trophies section.

The trophies section is on the main page of the website: https://aflplus.plus/#trophies
@domenukk domenukk pinned this issue Apr 1, 2020
@antonio-morales
Copy link
Contributor

@andreafioraldi 12 new CVEs in FreeRDP

CVE-2020-13396
CVE-2020-13397
CVE-2020-13398
CVE-2020-11099
CVE-2020-11097
CVE-2020-11098
CVE-2020-4030
CVE-2020-11096
CVE-2020-11095
CVE-2020-4032
CVE-2020-4033
CVE-2020-4031

More info at https://securitylab.github.com/research/fuzzing-sockets-FreeRDP

Regards

@vanhauser-thc

This comment has been minimized.

Sign in to view
@andreafioraldi
Copy link
Member Author

Cool!

@vanhauser-thc vanhauser-thc added help wanted Extra attention is needed important a highly important issue labels Sep 1, 2020
@virtuald
Copy link
Contributor

Here's a trophy -- took maybe an hour to write a test harness: mjansson/mdns@4c64fba

@QiuhaoLi
Copy link

QiuhaoLi commented Feb 15, 2021
edited

Recently I discovered the following bugs using AFL++.

FFmpeg: HEVC NULL pointer dereference

GNOME: Mishandle NULL pointer in the xps converter

GNU core utilities: Heap underflow when expr(1) mishandles unmatched \(...\) in regular expressions

QEMU: CVE-2020-29129 CVE-2020-29130 OOB access while processing ARP/NCSI packets in SLiRP

Thank you!

@andreafioraldi
Copy link
Member Author

andreafioraldi commented Feb 17, 2021
edited

Hi @virtuald @QiuhaoLi (the coreutils one in your case) can you give me an identifier of the bugs that you reported linking just the commit with the patch?
A ticket number is enough.

@QiuhaoLi
Copy link

Hi @andreafioraldi

The ticket number of coreutils' bug is Bug 1919775. But this ticket is now private since the Red Hat guys and I thought this was a security-related flaw (the upstream developers disagree with it). It will be public in the future.

Btw, could you change the name QiuhaoLi to Qiuhao Li? Li is my family name 😊.

Thank you!

@andreafioraldi
Copy link
Member Author

yes i just put your github nick, will change asap

@vanhauser-thc
Copy link
Member

CVE-2021-27804 multiple vulnerabilities in jpeg-xl

@samstack6
Copy link

CVE-2021-27804 multiple vulnerabilities in jpeg-xl

Can you please share the exact AFL++ config that you set to discover this vulnerability? cmplog, asan, or others?

@vanhauser-thc
Copy link
Member

CVE-2021-27804 multiple vulnerabilities in jpeg-xl

Can you please share the exact AFL++ config that you set to discover this vulnerability? cmplog, asan, or others?

that was a mix of 16 afl++ instances. 2 with cmplog, 1 with laf-intel, the rest a mix of with/without -Z, -L0, -p schedule, no testcase trimming etc.
no asan/ubsan required, I build an asan variant for crash deduping (easiest way IMHO).

with their last release I could trigger crashes with just a few minutes runtime. but did not report anymore as they were not flagging any of the releases - where they fixed my reports - as security relevant.

initial you will need quite some hours until you have a good corpus (and you need to create proper input files as well for that)

@samstack6
Copy link

CVE-2021-27804 multiple vulnerabilities in jpeg-xl

Can you please share the exact AFL++ config that you set to discover this vulnerability? cmplog, asan, or others?

that was a mix of 16 afl++ instances. 2 with cmplog, 1 with laf-intel, the rest a mix of with/without -Z, -L0, -p schedule, no testcase trimming etc.
no asan/ubsan required, I build an asan variant for crash deduping (easiest way IMHO).

with their last release I could trigger crashes with just a few minutes runtime. but did not report anymore as they were not flagging any of the releases - where they fixed my reports - as security relevant.

initial you will need quite some hours until you have a good corpus (and you need to create proper input files as well for that)

Thanks.

I heard that ASAN have a good impact on fuzzing as it will makes the fuzzing more sensible to memory corruption bugs. Do you mean it isn't not required anymore for detecting this class of bugs and cmplog is enough?

@vanhauser-thc
Copy link
Member

if a memory corruption results not in a crash then this is something asan will find. if it crashes anyway then asan doesnt help. I usually have 1 asan instance in the fuzzing campaign. note that libfuzzer needs asan to solve fuzzing constraints, afl++ doesnt.

@vanhauser-thc vanhauser-thc unpinned this issue Dec 14, 2021
@vanhauser-thc vanhauser-thc pinned this issue Jan 25, 2022
@vanhauser-thc vanhauser-thc unpinned this issue Feb 20, 2022
@vanhauser-thc vanhauser-thc pinned this issue May 3, 2022
@nataraj-hates-MS-for-stealing-github
Copy link
Contributor

postgresql: Crash while parsing zero-symbols in jsonb string representation

found by me: Nikolay Shaplov (Postgres Professional)

@a-shvedov
Copy link
Contributor

Nodejs:
proto.write: CWE-122,
worker_threads: CWE-20 ;
JPEG XL:
jxl::FindExifTagPosition: CWE-787 ;
Perl:
pp_select: CWE-457 ;

Best regards, Alexander!

nataraj-hates-MS-for-stealing-github added a commit to nataraj-hates-MS-for-stealing-github/Website that referenced this issue Apr 13, 2023
@nataraj-hates-MS-for-stealing-github
Added bugs reported by a-shvedov in AFLplusplus/AFLplusplus#286 (comm…
0f229a2 
…ent), added commas to the lists of bugs
Merged
@nataraj-hates-MS-for-stealing-github
Copy link
Contributor

Added @a-shvedov 's info to the site as pull-request.

@faran1512
Copy link

faran1512 commented Mar 7, 2024
edited

@andreafioraldi Found a CVE in zlog library using AFL++
CVE-2024-22857
Details at: https://www.ebryx.com/blogs/arbitrary-code-execution-in-zlog-cve-2024-22857
Faran Abdullah

@nataraj-hates-MS-for-stealing-github
Copy link
Contributor

@andreafioraldi Found a CVE in zlog library using AFL++ CVE-2024-22857 Details at: https://www.ebryx.com/blogs/arbitrary-code-execution-in-zlog-cve-2024-22857 Faran Abdullah

Added this to AFLplusplus/Website#8 hope somebody will merge it eventually...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed important a highly important issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@virtuald @vanhauser-thc @andreafioraldi @QiuhaoLi @nataraj-hates-MS-for-stealing-github @samstack6 @antonio-morales @a-shvedov @faran1512