XDiFF v1.2.0 released: Extended Differential Fuzzing Framework

XDiFF

XDiFF is an Extended Differential Fuzzing Framework built to find vulnerabilities. Its goal is to collect as much valuable data as possible and then to infer all potential vulnerabilities in the application/s. Vulnerabilities can either be found in isolated pieces of software or by comparing:

  • Different inputs
  • Different versions
  • Different Implementations
  • Different operating systems’ implementations

The fuzzer uses Python and runs on multiple OSs (Linux, Windows, OS X, and Freebsd). Its main goal is to detect issues based on differential fuzzing aided with the extended capabilities to increase coverage. Still, it will found common vulnerabilities based on hangs and crashes, allowing to attach a memory debugger to the fuzzing sessions.

Changelog v1.2

This is the second release of XDiFF, presented in the Hack in the Box 2018 talk “Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing“.

Please refer to the documentation or the docs folder included to learn how to use it. To report any bugs or ask for features, feel free to open an issue or contact me at fernando.arnaboldi at ioactive.

Changelog for v1.2:

  • Changed main function names in the root directory
  • Improved code, documentation, and (most of) the code is now tested. Tons of bugfixes.
  • Improved analysis of network connections to test browsers connections
  • Added new analysis for error disclosure (analyze_error_disclosure) and path disclosure analysis has been splitted (analyze_path_disclosure_stdout and analyze_path_disclosure_stderr)
  • Added new compatibility class (classes.compat) to support Python 3
  • Added risk value to the different analytic functions. Print functions based on their rating: ./xdiff_analyze.py -d db.sqlite -r 0/1/2/3
  • Added support to test non random filenames in software.ini. Set the second column to Filename = /etc/yourfixedfilename
  • Added new parameters in the settings.py class
  • Added debug option to xdiff_run.py

Quick guide

Please follow the following steps:

  1. Install XDiFF
  2. Define the input
  3. Define the software
  4. Run the fuzzer
  5. Analyze the output
  6. Profit!

Disclaimer

The tool and the fuzzing process can be susceptible to code execution. Use it at your own risk always inside a VM.

Authors

  • Fernando Arnaboldi – Initial work
  • cclauss

For contributions, please propose a Changelog entry in the pull-request comments.