FileFuzz
The free tool FileFuzz, from security service providers iDefense, generates manipulated files for various programs on a Windows PC and then calls them using the relevant application [4]. It logs the reaction of the application and shows in its GUI whether, for example, a buffer overflow has occurred. FileFuzz currently supports only a few file types: jpg, wmf, pdf, vcf, wab, chm, ht, rm and a few rarely used file types.
Before beginning the actual fuzzing, the user creates corrupt files using the create menu. The program uses a normal file as a template, for example a JPG image, and overwrites certain user-specified bytes with zeros. A series of manipulated files can be created in one go, with changes being made at different points in the file.
![image 3 [507 x 590 Pixel @ 44,7 KB]](/security/imgs/46/3/7/1/0/6/5/f038a2fdefa58b16.jpg)
FileFuzz tests, as Internet Explorer reacts to prepared JPG pictures.
The predefined application can then be let loose on the files created from the tool's execute menu. For JPG images, you can even choose between Internet Explorer and the shimgvw.dll library - the latter was the location of the WMF image processing vulnerability discovered in early 2006. Users can also run the file with their own applications by replacing the path for the predefined application with the path for their own application.
For each application, FileFuzz shows information on whether and which file causes an exception, such as a sharing violation or a buffer overflow. The tool even shows an extract from the process register.
![image 4 [397 x 214 Pixel @ 17,3 KB]](/security/imgs/46/3/7/1/0/6/5/9f4401b834bfe8d6.jpg)
Testing with manipulated JPG pictures may sometimes trigger a virus scanner alarm.
A quick test using manipulated PDF files was able to provoke numerous buffer overflows in Acrobat Reader, not all of which, however, would be able to be exploited. Testing the rule on corrupted JPG images even prompted the AVG virus scanner running in the background to sound the alarm. The cause was the program's heuristic detection system, which detected potential malware behind the corrupt images.
FileFuzz can give useful indications of whether everything runs smoothly in an application's processing function and whether errors are at least dealt with properly. It should be noted that FileFuzz uses the standard paths for English versions of Windows. For German users, for example, it is therefore necessary to replace "Program Files" with "Programme" in the templates.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
