The Rise of the Fuzzers

[This was originally published on the OSVDB blog.]

Fuzzers are by no means new. They have been used fairly extensively the last half decade to find a number of vulnerabilities. Back in July 2001 we saw an LDAP protocol fuzzer find issues in a variety of products. February 2003 saw SIP fuzzed, January 2004 was the time for H.323, and more recently in Nov 2005, ISAKMP was abused.

The last few weeks have seen two more incidents. Evgeny Legerov has written and released what he calls ProtoVer which contains 3,665 tests for the LDAPv3 protocol. His tool has uncovered issues in Lotus Domino Server, CommuniGate Pro, GnuTLS, Sun Directory Server and IBM Tivoli Directory Server. About the same time, Secuobs released a fuzzer for Bluetooth stack implementations which found issues in hcidump, Sony/Ericsson Cell Phones, as well as Nokia Cell Phones.

As a side note to the above list, Chad Loder posted a reply citing that the Lotus Domino LDAP issues were discovered, fixed, and reintroduced not once, but twice. What does that say about the quality and control of code in these big shops?

Dave Aitel responded to one post asking, “why do fuzzers still work?” This question is easily answered with “vendors simply don’t adequately test their products” but really does illustrate why we see so many vulnerabilities released every day. All this time, all the buzz and hype about the importance of security, and just about every single product is vulnerable to a well known and well documented class of attack. It is clear that such fuzzer utilities are very helpful in weeding out these issues. Since vendors aren’t taking it upon themselves to write and use such tools, I certainly hope a few security companies write some decent fuzzers and market them to the big vendors. Hopefully, 2006 will be the year for fuzzing and the published vulnerabilities demonstrate this.

Leave a Reply