Home

Awesome

HTTP/2 Peach Pit for Microsoft Edge

:fire: To make use of this Peach pit you must have a commercial copy of the Peach Fuzzer. :fire:

Here at Duo Labs we believe that open sourcing security research tools helps the the greater research community push technology forward. If you find this release useful please consider joining us in sharing your tools which are typically considered proprietary with the public in the spirit of bettering security for everyone.

This peach pit implements the HTTP/2 protocol (RFC-7540) and is targetted at Microsoft Edge. It was developed as part of a Duo Labs research project and has been run through about 150,000 iterations. Traffic samples within this release were generated with the use of the h2o server. With a little bit of work and understanding of the protocol, it should be retargetable to Firefox/Chrome.

-- @sirus

Details

HPACK_src/**

Contains C# code implementing the HPACKInteger packed integer type and the HuffmanTransformer string transformer as laid out in RFC-7541.

TLSProxy/**

As Peach currently does not support setting ALPNs on the SSlListener a pass through proxy was implemented. It must be run alongside the main Peach.exe instance. Also contains CA cert that must be installed on the target.

Data/**

Contains binary samples to feed Peach. Exercises PUSH_PROMISE and related functionality.

HTTP2_Data.xml

Contains all the data models in the HTTP/2 protocol.

HTTP2_State.xml

Contains Peach state model for driving testing of Edge.

HTTP2_Client.xml

Contains agent configurations and the fuzzer run configuration. Defaults to using MSCER-2 monitoring but direct WindowsDebugger monitors are available.

mscer2*.py

As Edge launches five separate processes per fuzzing iteration attaching to all of them takes a significant amount of time. As an alternative I've implemented a MSCER-2 monitor. MSCER-2 is the Windows Error Reporting protocol. Details on how to leverage this can be found here.

Fuzzer Configuration

In this section SUT (system under test) will refer to a Windows 10 host that is to be running Edge with an IP of 10.23.1.74. Host will refer to the system running Peach.exe with the IP of 10.23.1.53.

SUT Preparation

Install CA Cert

Using the windows certificate manager install the TLSProxy/ca.crt in to the trusted CA cert store.

Hostname Configuration

An entry pointing at the Host machine must be made in C:\windows\system32\drivers\etc\hosts under the name TARGET to for TLS to work:

10.23.1.53 TARGET

PageHeap Configuration

The easiest way to configure page heap is by utilizing the EdgeDbg package by Skylined and running EdgePageHeap.cmd ON otherwise manually configure through gflags.exe for the following five images:

MS-CER2 Collection

To use the native crash collection facilities of Windows the following registry key must be imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting]
"CorporateWerPortNumber"=dword:000022b1
"CorporateWerServer"="TARGET"
"Disabled"=dword:00000000
"EnableZip"=dword:00000001
"DisableQueue"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent]
"DefaultConsent"=dword:00000004

Start Peach Agent

Launch the PeachAgent.exe binary from an elevated command prompt and configure firewall settings to allow incoming connections from your Host machine.

Host Preparation

Configure Pit

Edit HTTP2_Client.xml and change the IP address of the remote agent to point to your SUT:

<Agent name="RemoteAgent" location="tcp://10.23.1.74:9001"> <!-- Change to IP of SUT-->

Further down, configure the interface that for the MS-CER2 monitor to bind to:

<Param name="Host" value="10.23.1.53" /> <!--  CHANGE TO IP TO HOST. -->

Start Fuzzing

Run TLSProxy

Start the TLS unwrapping proxy by executing:

python2 TLSProxy/h2unwrap.py

You will be able to monitor the traffic going to and from the SUT.

Test Peach

You should be good to go! Run a validation pass to make sure all the plumbing is working with:

mono Peach.exe --plugins=. -1 HTTP2_Client.xml

You should see Edge start, a page load and then edge close.

Start Fuzzing

If all goes well you should be ready to start fuzzing by dropping the -1 argument:

mono Peach.exe --plugins=. HTTP2_Client.xml