AFL/shellshock-fuzz.diff

This patch shows a very simple way to find post-Shellshock bugs in bash, as
discussed here:

  http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

In essence, it shows a way to fuzz environmental variables. Instructions:

1) Download bash 4.3, apply this patch, compile with:

   CC=/path/to/afl-gcc ./configure
   make clean all

   Note that the harness puts the fuzzed output in $TEST_VARIABLE. With
   Florian's Shellshock patch (bash43-028), this is no longer passed down
   to the parser.

2) Create and cd to an empty directory, put the compiled bash binary in
   there, and run these commands:

   mkdir in_dir
   echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt

3) Run the fuzzer with:

   /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :

   The -d parameter is advisable only if the tested shell is fairly slow
   or if you are in a hurry; will cover more ground faster, but
   less systematically.

4) Watch for crashes in out_dir/crashes/. Also watch for any new files
   created in cwd if you're interested in non-crash RCEs (files will be
   created whenever the shell executes "foo>bar" or something like
   that). You can correlate their creation date with new entries in
   out_dir/queue/.

   You can also modify the bash binary to directly check for more subtle
   fault conditions, or use the synthesized entries in out_dir/queue/
   as a seed for other, possibly slower or more involved testing regimes.

   Expect several hours to get decent coverage.

--- bash-4.3/shell.c.orig	2014-01-14 14:04:32.000000000 +0100
+++ bash-4.3/shell.c	2015-04-30 05:56:46.000000000 +0200
@@ -371,6 +371,14 @@
   env = environ;
 #endif /* __OPENNT */
 
+  {
+
+    static char val[1024 * 16];
+    read(0, val, sizeof(val) - 1);
+    setenv("TEST_VARIABLE", val, 1);
+
+  }
+
   USE_VAR(argc);
   USE_VAR(argv);
   USE_VAR(env);
ADD file via upload 1 month ago			`This patch shows a very simple way to find post-Shellshock bugs in bash, as`
			`discussed here:`

			`http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html`

			`In essence, it shows a way to fuzz environmental variables. Instructions:`

			`1) Download bash 4.3, apply this patch, compile with:`

			`CC=/path/to/afl-gcc ./configure`
			`make clean all`

			`Note that the harness puts the fuzzed output in $TEST_VARIABLE. With`
			`Florian's Shellshock patch (bash43-028), this is no longer passed down`
			`to the parser.`

			`2) Create and cd to an empty directory, put the compiled bash binary in`
			`there, and run these commands:`

			`mkdir in_dir`
			`echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt`

			`3) Run the fuzzer with:`

			`/path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :`

			`The -d parameter is advisable only if the tested shell is fairly slow`
			`or if you are in a hurry; will cover more ground faster, but`
			`less systematically.`

			`4) Watch for crashes in out_dir/crashes/. Also watch for any new files`
			`created in cwd if you're interested in non-crash RCEs (files will be`
			`created whenever the shell executes "foo>bar" or something like`
			`that). You can correlate their creation date with new entries in`
			`out_dir/queue/.`

			`You can also modify the bash binary to directly check for more subtle`
			`fault conditions, or use the synthesized entries in out_dir/queue/`
			`as a seed for other, possibly slower or more involved testing regimes.`

			`Expect several hours to get decent coverage.`

			`--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100`
			`+++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200`
			`@@ -371,6 +371,14 @@`
			`env = environ;`
			`#endif /* __OPENNT */`

			`+ {`
			`+`
			`+ static char val[1024 * 16];`
			`+ read(0, val, sizeof(val) - 1);`
			`+ setenv("TEST_VARIABLE", val, 1);`
			`+`
			`+ }`
			`+`
			`USE_VAR(argc);`
			`USE_VAR(argv);`
			`USE_VAR(env);`