Home | History | Annotate | Download | only in terminal-emulators
      1 # Fuzzing terminal emulators #
      2 
      3 ## Step 1: Prepare libclose.so and terminal-test ##
      4 
      5 ```
      6 $ cd /home/jagger/src/honggfuzz/examples/terminal-emulators/
      7 $ make
      8 ../../hfuzz_cc/hfuzz-clang -std=c99  -o terminal-test terminal-test.c
      9 cc -std=c99  -shared -o libclose.so libclose.c
     10 ```
     11 
     12 *libclose.so* serves one purpose only: when preloaded (with _LD_PRELOAD=libclose.so_)
     13 it will prevent file-descriptors *1022* and *1023* (used by honggfuzz for coverage
     14 feedback accumulation) will not be closed by the fuzzed binary (terminal emulator)
     15 before passing to the _terminal-test_ binary.
     16 
     17 The *terminal-test* program will feed the terminal emulator with data from the
     18 fuzzing engine, and will try to read back any data that the terminal can produce.
     19 See the _Bonus: term.log_ secion on why it might matter.
     20 
     21 ## Step 2: Instrument your terminal emulator ##
     22 
     23 Add compiler-time instrumentation to your fuzzed terminal emulator. Typically it
     24 would consist of the following sequence of commands (for xterm):
     25 
     26 ```
     27 $ cd xterm-327
     28 $ CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC ./configure
     29 ...
     30 ...
     31 $ CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC make -j4
     32 ```
     33 
     34 Alternatively, you might want to compile it with ASAN enabled, for better
     35 detection of memory corruption problems
     36 
     37 ```
     38 $ cd xterm-327
     39 $ HFUZZ_CC_ASAN=1 CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC ./configure
     40 ...
     41 ...
     42 $ HFUZZ_CC_ASAN=1 CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC make -j4
     43 ```
     44 
     45 ## Step 3: Create initial input corpus ##
     46 
     47 It can consist even of a single file.
     48 
     49 ```
     50 $ mkdir IN
     51 $ echo A >IN/1
     52 ```
     53 
     54 ## Step 4: Launch it! ##
     55 
     56 ```
     57 $ /home/jagger/src/honggfuzz/honggfuzz -z -P -f IN/ -E LD_PRELOAD=/home/jagger/src/honggfuzz/examples/terminal-emulators/libclose.so -- xterm-327/xterm -e /home/jagger/src/honggfuzz/examples/terminal-emulators/terminal-test
     58 ```
     59 
     60 Typical output:
     61 ```
     62 ----------------------------[ honggfuzz v1.0alpha ]---------------------------
     63   Iterations : 4,865,546 [4.87M]
     64        Phase : Dynamic Main (2/2)
     65     Run Time : 0 hrs 0 min 15 sec
     66    Input Dir : [865] 'IN/'
     67   Fuzzed Cmd : './xterm -e /home/jagger/src/honggfuzz/examples/terminal-em...'
     68      Threads : 4, CPUs: 8, CPU: 733% (91%/CPU)
     69        Speed : 320,951/sec (avg: 324,369)
     70      Crashes : 0 (unique: 0, blacklist: 0, verified: 0)
     71     Timeouts : 0 [10 sec.]
     72  Corpus Size : 265, max file size: 1,024
     73     Coverage : bb: 850 cmp: 35,516
     74 -----------------------------------[ LOGS ]-----------------------------------
     75 NEW, size:912 (i,b,sw,hw,cmp): 0/0/1/0/1, Tot:0/0/772/0/32216
     76 NEW, size:940 (i,b,sw,hw,cmp): 0/0/1/0/32, Tot:0/0/773/0/32248
     77 NEW, size:919 (i,b,sw,hw,cmp): 0/0/0/0/9, Tot:0/0/773/0/32257
     78 NEW, size:1024 (i,b,sw,hw,cmp): 0/0/0/0/2, Tot:0/0/773/0/32259
     79 NEW, size:1013 (i,b,sw,hw,cmp): 0/0/0/0/1, Tot:0/0/773/0/32260
     80 ...
     81 ...
     82 ```
     83 
     84 ## Bonus: term.log ##
     85 
     86 The *term.log* file will contain interesting data which can be fetched from the
     87 terminal emulator's input buffer. It will typically contains responses to ESC
     88 sequences requesting info about terminal size, or about the current color map.
     89 But, if you notice there arbitrary or binary data, basically something that
     90 a typical terminal shouldn't responsd with, try to investigate it. You might
     91 have just found and interesting case of RCE, where arbitrary data can
     92 be pushed into terminal's input buffer, and then read back (and potentially
     93 executed) with whatever runs under said emulator (e.g. _/bin/bash_)
     94