Questions about FTP protocol testing

[Melody15]

Hello, recently I found this great benchmark, and after reading & testing some FTP implementations, I have some questions about FTP fuzzing.

1. The first question is about coverage counting. In proftpd's cleanup script, it not only clears the ftpshare folder and copies the *.gcda from ftpshare to proftpd-gcov for counting the coverage (I guess this is because the *gcda file would be generated in the chroot() path), so I thought this script should be executed after each replay when calculating the coverage (which is in cov_script) but it seems not. I'm not sure if this is missing or I got a misunderstanding.

This is the proftpd's cov_script

#process initial seed corpus first
for f in $(echo $folder/$testdir/*.raw); do 
  time=$(stat -c %Y $f)

  #terminate running server(s)
  pkill proftpd

  $replayer $f FTP $pno 1 > /dev/null 2>&1 &
  timeout -k 0 3s ./proftpd -n -c ${WORKDIR}/basic.conf -X
  
  wait

  ################################################################
  # should execute cleanup_script for moving the .*gcda files here?
  ################################################################

  cov_data=$(gcovr -r . -s | grep "[lb][a-z]*:")
  l_per=$(echo "$cov_data" | grep lines | cut -d" " -f2 | rev | cut -c2- | rev)
  l_abs=$(echo "$cov_data" | grep lines | cut -d" " -f3 | cut -c2-)
  b_per=$(echo "$cov_data" | grep branch | cut -d" " -f2 | rev | cut -c2- | rev)
  b_abs=$(echo "$cov_data" | grep branch | cut -d" " -f3 | cut -c2-)
  
  echo "$time,$l_per,$l_abs,$b_per,$b_abs" >> $covfile
done

2. Another question is about AFLNet. For FTP protocol, It seems that only one control socket is not enough. When data transmission happened, both PORT and PASV modes need another data socket to send data. How would AFLNet solve this problem?

I am very interested in smart protocol fuzzing and look forward to your answers, thank you very much.

[rnatella]

Hello,

About your first question: In the configuration file basic.conf, the option for chroot is commented and should not be enabled by default. In this case, it is maybe unnecessary to call the clean script.

About your second question: For the SIP/Kamailio benchmark, we had to introduce the "-l" option for a similar problem, you can consider to use/extend that option.

[Melody15]

Thanks for answering, I will try this "-l" option for FTP protocol.

[thuanpv]

Hi @Melody15,

You are right that currently AFLNet focuses on fuzzing the control channel of the FTP protocol and it does not support the data channel yet.

As suggested by Roberto, the "-l" option of AFLNet is relevant. However, I think the current implementation of the option does not work out-of-the-box to support two channels in FTP protocol. I guess a proper solution should answer the questions 1) when a connection to the data port (port 20) should be established and 2) whether AFLNet needs to add some logic to handle data exchange.

This excellent writeup of Antonio @github Security (https://securitylab.github.com/research/fuzzing-sockets-FTP) reports a nice idea to handle the issue but it requires several code changes.

Pull requests are welcome!

Thuan

[Melody15]

Hi @thuanpv ,

I intend to refer to Antonio's article to further patch the ftp server to try to solve this problem, thank you for your reply and suggestion!