ForAllSecure Vulnerability Labs
We open source our vulnerabilities after our responsible disclosure period has terminated. You will find:
- A reproducible environment for building the vulnerable code inside docker.
- Proof of concept artifacts that show how to trigger the discovered vulnerability.
- (Optional) If you are a ForAllSecure Mayhem subscriber, you can run all of these locally.
We will be adding to this as find more bugs! Currently we have:
- NCSA-HTTPd CVE-1999-0067 - read more here
- six-library Uninitialized Variable - read more here
- JQ Use-After-Free - read more here
- GNU libm CVE-2020-10029 - read more here
- Cereal CVE 2020-11104 & 2020-11105 - read more here
- Oniguruma Regex CVEs 2019-13224 & 2019-13225
- STB Vorbis CVE-2019-132xx - read more here
- MATIO CVE 2019-13107 - read more here
- Das U-Boot CVE 2019-13103 to 2019-13106 - read more here
- Netflix Dial CVE 2019-10028 - read more here
- objdump CVEs 2017-124xx - read more here
- sthttpd CVE 2017-10671
- OpenSSL CVE 2014-0160 - Heartbleed This is a template for how this directory should look; this vulnerability was originally found by Google Security reference.
Please report any issues on the GitHub issue tracker. This is not an official ForAllSecure product.
Running from Dockerhub
All vulnerabilities are in pare-built images on our ForAllSecure Dockerhub account. The image name is the same as the directory name, prefixed with "forallsecure". For example, to run openssl-cve-2014-0160:
docker run forallsecure/openssl-cve-2014-0160Mayhem Subscribers
Mayhem subscribers can run all examples within their Mayhem
instance. The mayhemit.sh utility script helps with migration.
If you have access to dockerhub.com from your network:
./mayhemit.sh runIf you do not have access to dockerhub.com from your network, you will
need to migrate the docker images to your local Mayhem docker
repository, and rewrite the Mayhemfile to point to that registry.
You can do this by running:
To start Mayhem fuzzing, you can use mayhem run, or use this script
as follows:
mayhem run .Building Locally
You can build and run the image locally. For example, if you are a researcher you can build the docker image to better understand the vulnerability.
To build:
./mayhemit.sh --build <directory> # A single CVE
./mayhemit.sh --build --all # Every CVE in this repositoryTwo notes:
-
You may need Mayhem to fuzz some targets. Mayhem supports binary-only fuzzing, network inputs (TCP & UDP), and many other features. Some targets, however, are libfuzzer or AFL. These you can fuzz yourself with the standard AFL or libfuzzer tool.
-
A single docker image includes multiple CVEs when they are all based on the same source code build.
If you are wondering what Mayhem runs, look in
<dir>/mayhem/<name>/Mayhemfile. A Mayhemfile is a yaml file, and
Mayhem fuzzing executes the cmd as given.
You always can run the vulnerable program/target locally. Run the
docker image, and look at the associated cmd. E.g., for heartbleed,
do:
host$ docker run -ti openssl-cve-2014-0160 bash
docker$ /build/handshake-fuzzer
Migrating to a closed network or your own Mayhem docker registry
These directions also apply to any Mayhem subscriber who does not wish to run the images from dockerhub (e.g., a closed network).
Migration steps:
-
On a host with access to dockerhub, run:
# Build all the images, rewriting the tag with your registry name. ./mayhemit.sh --all --saveThis will build all images, and save the docker images as tgz files.
-
Tar up this entire directory with the previously saved docker images from the previous step. For example:
cd .. && tar zcf vulnlabs.tgz ./vulnlabs
-
Copy over the resulting tar file (e.g.,
vulnlabs.tgz) to your a host on the closed network. You must have docker installed on this machine as well, but no internet access is required. -
Untar the tar file on the closed network host:
tar zxf vulnlabs.tgz
-
Rewrite all the
Mayhemfilefiles to point to your local docker registry, load up the images (the image is tagged withbaseimagefrom theMayhemfile), and push to your registry. It is important that you give the--rewriteflag first, as--loaduses the registrybaseimagedirective in theMayhemfileto determine the proper place to load the image:./mayhemit.sh --all --rewrite \"your-registry:your-port/openssl-cve-2014-0160\" --load
Replace
openssl-cve-2014-0160with the folder of the project you are analyzing. -
Test out a run, e.g.,:
./mayhemit.sh --run ./openssl-cve-2014-0160