Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Procmon "freezes" multithreaded software #593

Open
henryreed opened this issue Jan 11, 2022 · 0 comments
Open

Procmon "freezes" multithreaded software #593

henryreed opened this issue Jan 11, 2022 · 0 comments
Labels
bug

Comments

@henryreed
Copy link

Report

Hi folks,

I am attempting to fuzz NASA's Core Flight System (cFS) using Boofuzz and its Process Monitor for unix. Unfortunately, when Procmon hooks into cFS it seems to also break its UDP input. This can be seen by capturing packets on the loopback interface, where the kernel sends ICMP packets back indicating the port is closed. Additionally, while normally cFS complains when it receives a broken message, in this case there is no standard error or standard output relating to any broken messages.

If I do not use Procmon and launch cFS normally, it can receive messages from Boofuzz as normal. I would like to get Procmon to work with cFS. I suspect that because cFS is a multithreaded application, Procmon somehow breaks cFS, but I am not sure how to debug this any further. Any assistance or pointers are appreciated.

Expected behavior

I expected Procmon to not freeze cFS and instead let it run like normal and receive command messages.

Actual behavior

Procmon "freezes" (for a lack of a better term) cFS, disavowing it from binding to listening port 1234/UDP and from receiving any data.

Steps to reproduce the problem

  1. Install cFS as per instructions in the Setup and Build and Run sections of the GitHub repository: https://github.com/nasa/cfs#setup
  2. Launch process_monitor_unix.py
  3. Launch the Boofuzz script attached

boofuzz script

from boofuzz import * 

def define_proto(session):
    cfe_es_noop_cc = Request("CFE_ES_NOOP_CC", children=(
        Block("Packet_Identification", children=(
            Bytes(name="CFE_PLATFORM_CMD_MID_BASE", default_value=b'\x18', max_len=1),
            Bytes(name="CFE_MISSION_ES_CMD_MSG", default_value=b'\x06', max_len=1),
            Bytes(name="Packet_Sequence_Control", default_value=b'\xC0\x00', max_len=2)
            )),
        Size("Packet_Length", block_name="Packet_Data", offset=-1, length=2, endian='>'),
        Block("Packet_Data", children=(
            Bytes(name="NOOP_CC", default_value=b'\x00\x20')
            ))
        ))
 

    session.connect(cfe_es_noop_cc)
 

if __name__ == "__main__":
    port = 1234
    host = "127.0.0.1"
    options = {"start_commands": ['/home/user/cFS/build/exe/cpu1/core-cpu1']}
    procmon = ProcessMonitor(host,26002)
    procmon.set_options(**options)
    monitors = [procmon]

    session = Session(
            target=Target(
                connection=UDPSocketConnection(host, port),
                monitors=monitors,
                ),
            )
    define_proto(session)
    session.fuzz()

boofuzz version

0.4.0

Python version

3.8

Platform

Linux

Anything else?

No response
@henryreed henryreed added the bug label Jan 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@henryreed