Solana bug bounty is fake, in Aug 2023 I reported a bug, they acknowledged the issue, then stopped responding, then *deleted* the report (but I have a PDF printout of the discussion saved locally).
Just stick to reputable programs like Ethereum that play fair.
I found a math bug in the blst pairing library which Ethereum uses (but Eth isn't affected because it doesn't use the affected function).
A year of fuzzing on OSS-Fuzz didn't find it, and I found it accidentally as I was looking for something else..
I had so much fun auditing rippled. The code is neatly formatted and organized, minimal use of memcpy, smart pointers everywhere, extensive use of the battle-tested Boost libraries, use of Protobufs, no excessive resource consumption.. 👍
Lots of bugs found with and by Cryptofuzz lately; this is about 2 months worth, doesn't include bugs found for clients, and more is to be announced. It turns out that ECDSA implementations especially are prone to non-conformism and other bugs.
Golang cross-compiling really works amazing, you can just type 'GOARCH=s390x go build' and without even printing a warning it produces a binary you can readily run with QEMU. To do that with C/C++ you need a PhD in cross-compiling..
@jon_bottarini
@Hacker0x01
@EOS_io
Thank you. A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week.
The streaming API of the reference implementation of BLAKE (SHA-3 finalist, not BLAKE2 or 3) contains a bug where passing 0 bytes, instead of being a no-op, resets the internal state, yielding the base hash 716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a
Today there will be the coordinated disclosure of a crypto implementation bug that has gone unnoticed for many years. The impact is probably very limited but it's interesting nonetheless.
Find Squid bug for bug bounty. Write RCE exploit. Inform vendor (Oct. 5 2019). Send patch. Squid stops responding. Ask Internet Bug Bounty what to do. No response.
So here I am with a with a major internet software 0day that nobody cares to move forward. Welcome to 2014.
Just tried fuzzing the certificate parser of OpenSSL from 2003. It takes 1/10th of a second to find an out-of-bounds read (that's without a seed corpus).
Recently found a consensus bug in the Besu Ethereum client. Certain bytecode could cause an exception which causes the tx not to finalize.
Finding it was as simple as downloading the public OSS-Fuzz corpus for Geth and running it on Besu.
PSA: On Tuesday Aug 24th, Geth will issue a hotfix to a high severity security issue. Please make any necessary preparations to upgrade to the upcoming release (v.1.10.8).
#ethereum
#geth
HackerOne also continues to "manage" the Squid bounty program, promising big bounties but never paying. My report was triaged 8 months ago.
This is fraud and I will reporting HackerOne to the Federal Trade Commission if this is not resolved by next week.
The buffer overflow by
@taviso
made the headlines but here are some other recent bugs in libgcrypt found by Cryptofuzz:
- Mod/InvMod was broken (T5269, fixed in 1.9.1)
- ECDSA verifies with invalid pubkey (T5282)
- OOB read via scrypt, at least valgrind says so (just reported)
I "found" this bug a few weeks ago by just downloading and running OpenSSL OSS-Fuzz binaries + corpora (see dates in screenshot). Didn't report because I assumed OSS-Fuzz would have caught it.. Didn't it..?
I'm working on a machine-readable fuzzing corpora directory.
I will add docs (+ a script which fetches corpora) later but I think so far it's pretty self-explanatory. Please add entries if you can, this benefits everyone.
Report 2 memory bugs to a "managed" program on BugCrowd complete with poc, build script, stack trace, references.. Get this back for both. God knows how many bugs BugCrowd are hiding from the companies for whom they are managing 😂
Multi-arch instruction-level differential fuzzing with libFuzzer, Unicorn and Capstone. Also detects use of uninitialized memory. I want to subject OpenSSL's multiple implementations of the same functions (in C, optimized asm across multiple archs) to this.
You have:
- A complex software program, source code available
- Insane compute resources
- Limited human time (to write harnesses and poke around etc)
What would be your general approach to find as many vulnerabilities as possible?
Cannon (CANNON CANNON CANNON) is our next-gen fault proof architecture, and it’s coming soon.
It enables optimal data costs.
It effortlessly preserves EVM equivalence.
Its very first bug bounty goes live today. 💥
RustCrypto, which is a a suite of primitives widely used throughout the Rust ecosystem, is being fuzzed on OSS-Fuzz.
Other than finding that some hashes like Groestl are a little slow with large inputs no bugs have been detected. Very high quality code.
Within a few days I will publicly disclose a Monero "bleed" bug that leaks process memory to the network. Reported and acknowledged 6 months ago, but not yet fixed, though a new release, incorporating the fix, is supposedly planned for the near future.
Today there will be the coordinated disclosure of a crypto implementation bug that has gone unnoticed for many years. The impact is probably very limited but it's interesting nonetheless.
Another impossible fuzzing puzzle: if (v * v * v == 1881672302290562263) abort(); where v is uint64_t doesn't finish in 60000000000 iters. Solution is 1234567, Z3 solves it instantly.
simple_api_fuzzer -jobs=120 -use_value_profile=1 -max_len=256 -focus_function=BuildHuffmanTable on the most recent public corpus doesn't find it, at least not quickly. Using libwebp-address-202308310602, which is vulnerable (bad.webp triggers it).
Hopefully this will catch a bug or two in other libraries as well.
The lesson learned is that some bugs can be quite elusive even when targeted with countless CPU hours of purpose-built fuzzing.
I'm writing a Solidity to C++ converter by parsing Solidity JSON AST output so I can fuzz smart contracts like I fuzz OpenSSL.
It's fairly straightforward because the languages are quite similar, only minor AST rewrites are required to offer most Solidity functionality in C++.
I added Z3 support to Cryptofuzz to compute inputs to calculation operations yielding a specific result.
Inspired by a bug in a smart contract function which computes ceil(A*B/C). If A*B/C==2^256-1 and A*B%C!=0 then it would incorrectly overflow the result from 2^256-1 to 0.
I thought I had found a Solidity bug with differential fuzzing between optimization levels.
function f() public {assembly {mstore(and(keccak256(0,18446744057039951614),0), 123)}}
The cereal fuzzers can be found in (and built with) this repository:
I spent a lot of time on this and it is one of my most elaborate harnesses to date.
I have a DoS (slow execution) bug which affects most EVMs. If you're an EVM maintainer and slow contract execution is a concern to you, please reach out (e-mail in bio) and I'll notify you before I'll publish a blog post about the bug later this week.
I've spent hundreds of hours and CPU-decades of fuzzing on the Geth EVM. I did find some bugs along the way but at this point it's simply impeccable as far as I can tell.
@superphiz
Geth is the most hardened piece of software in blockchain. Many blockchains are literally just Geth forks
But running majority clients is bad for the safety and value of your precious ETH
@realGeorgeHotz
@Austen
Don't get rid of verbatim search, for me the usefulness of a search engine is the extent to which it resembles grep and avoids trying to be clever. (I don't see the problem in the first place, just don't make typo's or use autocorrect?)
For
@wolfSSL
I've written a Cryptofuzz module that tests their cryptography API. 7000 lines of harnessing code. I honestly can't think of any software that is fuzzed so deeply.
@killa
@the_secret_club
@floesen_
@Hacker0x01
I'm also still waiting for a reward in another H1 program for a bug reported in Jan. 2020 ("managed by HackerOne")
H1 consistently continues to run programs which take the bugs but never pay. That's clearly fraud and I suggest reporting them to the Federal Trade Commission
@FTC
Fuzzing tip: Use mutators to route symmetrical operations. Eg. Cryptofuzz reuses ECDSA Sign output as input to ECDSA Verify via the mutator and this is extremely effective, because EC crypto expects proper input (valid keys, signatures), and randomly generated data doesn't cut it
So in my custom mutator (which is already strongly optimized to construct meaningful inputs to math/crypto functions) I added a feature which mutates values in the Montgomery domain and this helps a lot because the bug is now found within minutes.
simple_api_fuzzer -jobs=120 -use_value_profile=1 -max_len=256 -focus_function=BuildHuffmanTable on the most recent public corpus doesn't find it, at least not quickly. Using libwebp-address-202308310602, which is vulnerable (bad.webp triggers it).
"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).
It's great that Google does this. As far as I'm aware there is no company investing so heavily in the security of general-purpose FOSS as Google. And a nice consequence of their crowd-sourcing is that anyone can make some extra cash regardless of their credentials or background.
@vegard_no
Note: Google VRP is paying generously for linux kernel patches, even patches that are already found by their syzkaller instance! Wanna earn a quick buck? Go fix some of the bugs! :)
@brewster_kahle
@internetarchive
I think it's not a matter of if but when the IA will be stricken by catastrophe (The Big One, fire, litigation, ..). IA should offer its whole public archive in chunks of 1TB torrents to ensure survival of data.
The subtraction mechanism involved in the OpenSSL vulnerability is interesting because you can use it to subtract a pointer delta from a existing function pointer to set it to a different function.
The following prints 'bad' 25% of the time with ASLR enabled.
I've been testing Stanford Javascript Crypto Library () (5600+ Github stars) with Cryptofuzz.
Observed wrong output for: PBKDF2+SHA1/SHA512/RIPEMD160 (but SHA256 is OK), bignum subtract if result is negative, scrypt with certain parameters, RIPEMD160 HMAC.
The raw memory of an (initialized!) long double type contains uninitialized bytes.
Try: long double v=0;for(int i=0;i<sizeof(v);i++)printf("%02X",*(((unsigned char*)&v)+i));
This can affect serialization eg. in Cereal:
I wonder if the nature of OpenSSL vuln can be figured out ahead of its disclosure using git kung fu based on these confirmed constraints:
- OpenSSL 1.1.1[a-q] are not affected
- LibreSSL and BoringSSL are not affected
- OpenSSL 3.0.0 through 3.0.6 are affected
Out of 499 OSS-Fuzz projects I surveyed, only 30 use custom mutators, and 9 of those are mine.
They don't make sense for every project, but they can be quite helpful and even essential if the format is particularly strict (valid checksums, source code parsing, signatures).
Another impossible fuzzing puzzle: if (v * v * v == 1881672302290562263) abort(); where v is uint64_t doesn't finish in 60000000000 iters. Solution is 1234567, Z3 solves it instantly.
Running all OSS-Fuzz fuzzers on their latest corpus while logging file and network access could lead to interesting finds.
strace -e trace=file,network -o trace.txt ./fuzzer corpus/ -runs=1
Hindsight is 20/20, but with a hook on javax.naming.Context
#lookup
and a generally useful improvement to the Map instrumentation, Jazzer reliably finds
#log4j
CVE-2021-44228 in ~5 min with a one-line fuzz target:
log.error(data.consumeRemainingAsString());
Fuzzer for arkworks crates, used by
@EspressoSys
,
@penumbrazone
and others, now running on OSS-Fuzz.
No bugs found during high-intensity fuzzing, harness currently only tests prime field math and point ops g1/g2 + * -, but it's a good start.
Because Squid maintainers and the Internet Bug Bounty are completely unresponsive, I've decided to publish the patch for the Squid remote buffer overflow, so people can patch ahead of an official release, whenever that may happen.
Mozilla NSS CVE-2020-12403: ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag.
Found with Cryptofuzz.
V8 BigInt fuzzer. Easily the most error-prone bignum API I've ever used; I had to slalom between a quite a few overflows before getting everything right (see comments in module.cpp). But I guess it's OK since it's only an internal API (?).
For a client I am looking for an auditor with good familiarity with BLS12-381, Rust, and preferably fuzzing. I had to forgo this opportunity for personal reasons but I want to connect my client with a good replacement. Please get in touch if you are or know someone who is keen.
blst BLS12-381 signature library (used by Ethereum 2.0) security advisory
Other bugs:
- uninitialized branching with non-standard domain separation tag
- invmod hang on i386 if input is 0 or modulo
- NULL ptr dereference
Found with Cryptofuzz
Releasing
#libcpucycles
library to count CPU cycles: Supports counters for amd64 (both PMC and TSC), arm32, arm64 (both PMC and VCT), mips64, ppc32, ppc64, riscv32, riscv64, sparc64, and x86, plus automatic fallbacks to various OS-level timing mechanisms.
OpenSSL mega crypto fuzzer: all (15) digests + all (144) sym. ciphers encryption+decryption (via EVP and BIO), HMAC + all digests, CMAC + all sym. ciphers, KDFs (SCRYPT + HKDF + TLS1 PRF) and then some. Project goal is mega crypto differential fuzzing @ Google oss-fuzz.
I've been doing a little fuzzing of EOS smart contracts (which are written in C++) with great results (as you'd expect from fuzzing) and as a side effect found a few bugs in the EOSIO Contract Development Toolkit as well.
Found an OpenSSL client DoS, kind of. <200KB of input keeps the client busy for minutes by having it invoke the DH keygen over and over.
Here's a script that generates an input for OpenSSL's client fuzzer:
For good measure I found and reported a few bugs in py-evm as well (not used in production, but in scope for the Eth bounty program). Once you've done all the legwork it becomes pretty easy.
We're excited to do more EVM audits. Get in touch: evm
@sentnl
.io
A Windows kernel memory bug was considered not in scope for vague reasons.
The Squid bug bounty program promises up to $32K per bug, but they stop responding after you've done your work, and they've never paid out a penny to anyone.
Bug bounties these days suck.