Try Out C/C++ Fuzzing With CI Labs

CI Labs is a preconfigured Ubuntu vm that can be accessed via RDP. It has CI Fuzz preinstalled and includes a test project that allows you to try out the workflow of fuzzing with CI Fuzz without installing anything on your device.

Contact us to get access to CI Lab. We will send you an IP address and credentials you can use to log in: https://page.code-intelligence.com/ci-labs/get-access.

The only requirement is that you need to have an RDP client installed.

On Linux, you can for example use desktop :

rdesktop -rclipboard:PRIMARY -f 34.141.205.169 

xrdp_login_screen

 

This article is a step-by-step manual on how to use CI Fuzz to find CVE-2021-27799, a stack buffer overflow in the ZINT Barcode Generator. It demonstrates the workflow of setting up fuzzing for a new project and writing fuzz tests.

 

After logging in into CI-Labs using your RDP credentials, open the folder "zint-code" in VS Code.

01-open-zint-folder-in-vscode

 

 

02-create-fuzzing-project

Leave the defaults for project location. CI-Fuzz detects that ZINT uses CMake and provides a default build script that works for most common CMake projects. Keep the default build script. In the following docker setup step, enter the image name "cifuzz/builders:zint". This preconfigured docker image provides the dependencies that ZINT needs to build.

 

 

03-create-project-select-docker-image

After clicking "Submit" the project will be initialized and compiled. CI-Fuzz automatically adds various instrumentations to the build process to measure the code coverage and detect vulnerabilities.

Next, you have to choose which function to fuzz. Since ZINT is a barcode generator that encodes strings into barcodes, the "ZBarcode_Encode" function is an obvious choice. As arguments, it takes the kind of barcode to be generated, the data to be encoded as a buffer, and the length of the buffer. This makes it optimal for fuzzing.

Use the search to locate the "ZBarcide_Encode" function in the source code. To create a fuzz test, click the "Fuzz this function" button above the function name.

04-search-function-to-fuzz

A code template is generated automatically, containing all necessary includes and preconfigured with the necessary compiler flags.

You only have to add some code that correctly calls the function under test and takes care of creating and deleting the required data structures.

05-write-fuzz-target-2

extern "C" int FUZZ(const unsigned char *Data, size_t Size)
{
  if (Size < 4 || Size > 1000)
    return0;

  struct zint_symbol *my_symbol = ZBarcode_Create();

  my_symbol->symbology = BARCODE_EANX;
  ZBarcode_Encode(my_symbol, Data, Size);
  ZBarcode_Delete(my_symbol);

  return0;
}

Also, you can find this code in the file ~/materials/zint-fuzz-test. Copy this code into the template as shown above.

Now you can run the fuzz test by clicking the yellow "Run" button.

06-start-fuzz-test

After starting the test, the fuzz test is compiled and executed multiple thousand times per second.

07-building-fuzz-test

After only a few seconds, the fuzzer stops and shows that a finding was discovered. Click on the bug symbol to view the details of the finding.

08-view-coverage-graphs

The summary tab shows which line of code triggered the finding and the corresponding input.

09-view-finding

091-view-finding-logs-tab

To get more details, switch to the logs tab. You can also start a debugger to analyze the found stack buffer overflow by clicking the "Debug" button. This starts the debugger with the discovered crashing input and preconfigured breakpoints.

10-debug-finding