Applying Fuzzing Techniques Against PDFTron: Part 1
Introduction:
PDFTron SDK brings a wide variety of PDF parsing functionalities. It varies from reading and viewing PDF files to converting PDF files to different file formats. The provided SDK is widely used and supports multiple platforms, it also exposes a rich set of APIs that helps in automating PDFTron functionalities.
PDFtron was one of the targets we started looking into since we decided to investigate PDF readers and PDF convertors. Throughout this blog post, we will discuss the brief research that we did.
The blog will discuss our efforts which will break down the harnessing and fuzzing of different PDFTron functionalities.
How to Tackle the Beast: CLI vs Harnessing:
Since PDFTron provides well documented CLI’s, it was the obvious route for us to go, we considered this as a low-hanging fruit. Our initial thinking was to pick a command, try to craft random PDF files and feed them to the specific CLI, such as pdf2image. We were able to get some crashes this way, we thought it can’t get any better, right? Right???
But after a while, we wanted to take our project a step further, by developing a costume harness using their publicly available SDK.
Lucky enough, we found a great deal of projects on their website which includes small programs that were developed in C++, just ripe and ready to be compiled and executed. Each program does a very specific function, such as adding an image to a PDF file, extracting an image from a PDF file, etc.
We could easily integrate those code snippets into our project, feed them mutated inputs and monitor their execution.
For example, we harnessed the extract image functionality, but also we did minor modifications to the code by making it take two arguments:
1. The mutated file path.
2. Destination to where we want the image to be extracted.
Following are the edited parts of PDFTron’s code:
How Does our Fuzzer Work?
We developed our own custom fuzzer that uses Radamsa as a mutator, then feed the harness the mutated files while monitoring the execution flow of the program. If and when any crash occurs, the harness will log all relative information such as the call stack and the registers state.
What makes our fuzzer generic, is that we made a config file in JSON format, that we specify as the following:
1- Mutation file format.
2- Harness path.
3- Test-cases folder path.
4- Output folder path.
5- Mutation tool path.
6- Hashes file path.
We fill these fields in based on our targeted application, so we don’t have to change our fuzzer source code for each different target.
The Components:
We divided the fuzzer into various components, each component has a specific functionality, the components of our fuzzer were:
A. Test Case Generator: Handled by Radamsa.
B. Execution Monitor: Handled by PyKd.
C. Logger: Costume built logger.
D. Duplicate Handler: Handled by !exploitable Toolkit.
We will go over each component and our way of implementing it in details in the next section.
A. Test Case Generator:
As mentioned before, we used Radamsa as our test case generator (mutation-based), so we integrated it with our fuzzer mainly due to it supporting a lot of mutation types, which saves plenty of time on reimplementing and optimizing some mutation types.
we also listed some of the mutation types that Radamsa supports and stored it in a list to get a random mutation type each time.
After generating the list, we need to place Radamsa’s full command to start generating the test cases after specifying all the arguments needed:
Now we got the test cases at the desired destination folder, each time we execute this function Radamsa generates 20 mutated files which later will be fed to the targeted application.
B. Execution Monitor:
This part is considered as the main component in our fuzzer, it contains three main stages:
1. Test case running stage.
2. Program execution stage.
3. Logging stage.
After we prepared the mutated files, we can now test them on the selected target. In our fuzzer, we used PyKd library to execute and check the harness’ execution progress. If the harness terminates the execution normally, our fuzzer will test the next mutated file, and if our harness terminates the execution due to access valuation our fuzzer will deal with it (more details on this later).
PyKd will run the harness and will use the expHandler variable to check the status of the harness execution. The fuzzer will decide whether a crash happened to the harness or not. We create a class called ExceptionHandler which monitors the execution flow of our harness, it checks exception flag, if the value is 0xC0000005, its usually a promising bug.
If accessViolationOccured was set to true, our fuzzer will save the mutated file for us to analyze it later, if it was set to false, that means the mutated file did not affect the harness execution and our harness will test another file.
C. Logging:
This component is crucial in any fuzzing framework. The role of the logger is to log a file that briefly details the crash and saves the mutated file that triggered the crash. Some important details you might want to include in a log:
- Assembly instruction before the crash.
- Assembly instruction where the crash occurred.
- Registries states.
- Call stack.
After fetching all information we need from the crash, now we can write it into a log file. To avoid naming duplication problems, we saved both the test case that triggered the crash and the log file with the epoch time as their file names.
This code snippet saves the PoC that triggered the crash and creates a log file related to the crash in our disk for later analysis.
D. Duplicate Handler:
After running the fuzzer over long periods of time, we found that the same crash may occur multiple times, and it will be logged each time it happens. Making it harder for us to analyse unique crashes. To control duplicate crashes, we used “MSEC.dll”, which is created by the Microsoft Security Engineering Center (MSEC).
We first need to load the DLL to WinDbg.
Then we used a tool called “!exploitable”, this tool will generate a unique hash for each crash along with crash analysis and risk assessment. Each time the program crashes, we will run this tool to get the hash of the crash and compare it to the hashes we already got before. If it matches one of the hashes, we will not save a log for this crash. If it’s a unique hash, we will store the new hash with previous crash hashes we discovered before and save a log file for the new crash with it’s test case.
In the second part of this blogpost, we will discuss integrating the harness with a publicly available fuzzer and comparing the results between these two different approaches.
Stay tuned, and as always, happy hunting!