This repo replicates finding CVE-2017-10671, a memory corruption bug that may allow a remote attacker to run arbitrary code (CVSS Score: 7.8).
We reported this bug responsibly to the maintainers, with the follow-on issue tracking here.
Note: since this finds the bug in an unmodified sthttpd binary (a network target), it can only be found by fuzzers that support network fuzzing (such as Mayhem).
Assuming you just want to build the docker image, run:
docker build -t forallsecure/sthttpd-cve-2017-10671 .If you don't want to build locally, you can pull a pre-built image directly from dockerhub:
docker pull forallsecure/sthttpd-cve-2017-10671Change to the sthttpd-cve-2017-10671 folder and run:
mayhem run mayhem/sthttpdand watch Mayhem replicate the bug! This bug takes a little time (~1 hour) to find but is still very quick!
Since this is a uninstrumented network binary, it is not possible to easily fuzz locally. However, [Mayhem] (https://www.forallsecure.com/solutions/devsecops/) can easily take care of this!
We have included a proof of concept output under the poc
directory.
Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. This is expected; your output should still trigger the sthttpd bug.
This bug was originally found and responsibly disclosed by ForAllSecure employee Alex Rebert. As such, this bug has since been fixed by Alex.