OpenXMolar is a Microsoft Open XML file format fuzzing framework, written in Python.
MS OpenXML office files are widely used and the attack surface is huge, due to complexity of the softwares that supports OpenXML format. Office Open XML files are zipped, XML-based file format. I could not find any easy to use OpenXML auditing tools/framework available on the internet which provides software security auditors a easy to use platform using which auditors can write their own test cases and tweak internal structure of Open XML files and run fuzz test (Example : Microsoft Office).
Hence OpenXMolar was developed, using which software security auditors can focus, only on writing test cases for tweaking OpenXML internal (XML and other ) files and the framework takes care of rest of the things like unpacking, packing of OpenXML files, Error handling, etc.
OpenXMolar is written and tested on Python v2.7. OpenXMolar uses following third party libraries
Debugger is an immense part of any Fuzzer. Open X-Molar supports two python debugger, one is winappdbg and another is pydbg. Sometimes installing pydbg on windows environment can be painful, and pydbg code base is not well maintained hence winappdbg support added to Open X-Molar. Its recommended that user use winappdbg.
Since we feed random yet valid data into target application during fuzzing, target application reacts in many different ways. During fuzzing the target application may throw different errors through different pop-up windows. To continue the fuzzing process, the fuzzer must handle these pop-up error windows properly. OpenXMolar uses PyAutoIT to suppress different application pop-up windows. PyAutoIt is Python binding for AutoItX3.dll
crash_binning is part of sulley framework. crash_binning.py is used only when you've selected pydbg as debugger. crash_binning.py is used to dump crash information. This is only required when you are using pydbg as debugger.
This is not core part of the Open X-Molar. The XML String Mutation module (FileFormatHandlers\xmlHandler.py) was written using xmltodict library.
On a high level, OpenXMolar can be divided into few components.
This is the core component of this Tool and responsible for doing many important stuffs like the main fuzzing loop.
This component mostly handles processing of OpenXML document such as packing, unpacking of openxml files, mapping them in memory, converting OpenXML document to python data structures etc.
This component suppresses/kills unwanted pop-ups appeared during fuzzing.
An OpenXML file may contain various files like XML files, Binary files etc. FileFormatHandlers are basically a collection of mutation scripts, responsible for handling different files found inside an OpenXML document and mutate them.
OXDumper.py decompresses OpenXML files provided in folder "OpenXMolar\BaseOfficeDocs\OpenXMLFiles" and output a python list of files present in the OpenXML file. OXDumper.py accepts comma separated file extensions. OXDumper.py is useful when you are targeting any specific set of files present in any OpenXML document.
crashSummary.py summarizes crashes found during fuzzing process in tabular format. The output of crashSummary.py should look like this:
The default configuration file 'config.py' is very well commented and explains all of its parameters really well. Please review the default config.py file thoroughly before running the fuzzer to avoid unwanted errors.
As said earlier, an OpenXML file package may contain various files like XML files, Binary files etc. FileFormatHandlers are basically a collection of mutation scripts, responsible for handling different files found inside an OpenXML document and mutate them. Generating effective test cases is the most important step in any fuzz testing process.
The motive behind OpenXMolar was to provide security auditors an easy & flexible platform on which fuzz tester can write their own test cases very easily for OpenXML files. When it comes to effective OpenXML format fuzzing, the main part is how we mutate different files (.xml, .bin etc) present inside OpenXML package (zip alike). To give users an idea of how file format handlers are written, two file format handlers are provided with this fuzzer, however they are very dumb in nature and not very effective.
| FileHandler | Description |
|---|---|
| xmlHandler.py | Responsible for mutation of XML files. |
| binaryHandler.py | Responsible for mutation of binary format files. |
| SampleHandler.py | Blank file format handler template |
Any file format handler module should be of following structure
# Import whatever you want.
class Handler():# The class name should be always 'Handler'
def __init__(self):
pass
def Fuzzit(self,actual_data_stream):
# A function called Fuzzit must be present in Handler class
# and it should return fuzzed data/xml string/whatever.
# Note: Data type of actual_data_stream and data_after_mutation should always be same.
return data_after_mutation
Once your file format handler module is ready you need to place the *.py file in FileFormatHandlers// folder and add the handler entry and associated file extension in config.py file like this :
FILE_FORMAT_HANDLERS = {'xml':'xmlHandler.py',
'bin':'BinaryHandler.py',
'rels':'xmlHandler.py',
'vml':'xmlHandler.py'
}The default PopUpKiller.py file provided with Open X-Molar, is having few most occurred pop up / error windows handler for MS Word, MS Excel & Power Point. Using AutoIT Window Info tool (https://www.autoitscript.com/site/autoit/downloads/) you can add more POPUP / Errors Windows Handlers into 'PopUpKiller.py'. One example is given below.
So to be able to Handle the error pop up window shown in screen shot, following lines need to be added in : PopUpKiller.py
if "PowerPoint found a problem with content" in autoit.win_get_text('Microsoft PowerPoint'):
autoit.control_click("[Class:#32770]", "Button1")
This fuzzer is well tested on 32 Bit and 64 Bit Windows Platforms (32 Bit Office Process). All the required libraries are distributed with this fuzzer in 'ExtDepLibs/' folder. Hence if you have installed python v2.7, you are good to go.
To verify everything is at right place, better to run Open X-Molar with Microsoft Default XPS Viewer first time(C:\Windows\System32\xpsrchvw.exe). Place any *.oxps file in '\BaseOfficeDocs\OpenXMLOfficeFiles' and run OpenXMolar.py.
OpenXMolar.py accepts one command line argument which is the configuration file.
C:\Users\John\Desktop\OpenXMolar>python OpenXMolar.py config.py
[Warning] Pydbg was not found. Which is required to run this fuzzer. Install Pydbg First. Ignore if you have winappdbg installed.
____ __ ____ __ _
/ __ \ \ \ / / \/ | | |
| | | |_ __ ___ _ __ \ V /| \ / | ___ | | __ _ _ __
| | | | '_ \ / _ \ '_ \ > < | |\/| |/ _ \| |/ _` | '__|
| |__| | |_) | __/ | | | / . \| | | | (_) | | (_| | |
\____/| .__/ \___|_| |_| /_/ \_\_| |_|\___/|_|\__,_|_|
| |
|_|
An MS OpenXML File Format Fuzzing Framework.
Author : Debasish Mandal (twitter.com/debasishm89)
[+] 2017:05:05::23:11:23 Using debugger : winappdbg
[+] 2017:05:05::23:11:23 POP Up killer Thread started..
[+] 2017:05:05::23:11:24 Loading base files in memory from : BaseOfficeDocs\UnpackedMSOpenXMLFormatFiles
[+] 2017:05:05::23:11:24 Loading File Format Handler for extension : xml => xmlHandler.py
[+] 2017:05:05::23:11:24 Loading File Format Handler for extension : rels => xmlHandler.py
[+] 2017:05:05::23:11:24 Loading File Format Handler Done !!
[+] 2017:05:05::23:11:24 Starting Fuzzing
[+] 2017:05:05::23:11:25 Temp cleaner started...
[+] 2017:05:05::23:11:25 Cleaning Temp Directory...
...
...Here is a very short video on running fuzztest on MS Office Word:
Due to the flexible structure of the fuzzer, this Fuzzer can also be used to fuzz other windows application. You just need do following :
And you're good to go.
Fuzzing Efficiency: To maximize fuzzing efficiency OpenXMolar doesn't read the provided base files again and from disk. While starting up, it loads all base files in memory and convert them into easy to manage python data structures and mutate them straight from memory.
Auto identification of internal files of OpenXML package : An Open XML file package may contain various files like XML files, Binary files etc. OpenXMolar has capability to identify internal file types and based that chooses mutation script and mutate them. Please refer to the default config.py file (Param : AUTO_IDENTIFY_INTERNAL_FILE_FORAMT) for details.
This software is licenced under New BSD License although the following libraries are included with Open X-Molar and are licensed separately.
| Module | Source |
|---|---|
| winappdbg | https://github.com/MarioVilas/winappdbg |
| pydbg | https://github.com/OpenRCE/pydbg |
| pyautoit | https://pypi.python.org/pypi/PyAutoIt/0.3 |
| crash_binning | https://github.com/OpenRCE/sulley |
| xmltodict | https://github.com/martinblech/xmltodict |
| Au3Info.exe | https://www.autoitscript.com/autoit3/docs/intro/au3spy.htm |
Debasish Mandal ( https://twitter.com/debasishm89 )
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8630
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0792