.ANI fuzzing module released

after being challenged by Sunshine, we decided to make the bestorm .ani file fuzzing module description available publicly.

this module is interesting because microsoft’s fuzzing team, using a template-based fuzzing module, missed during their testing a vulnerability that turned out to be a zero-day. we built it by simply feeding a few sample files into bestorm and using its autolearn feature to produce a file fuzzing module. the module we produced does catch the 0-day but we welcome any feedback as to how good or bad this module actually is.

the fuzzing module description is available here.

  • http://security.eweek.com Larry Seltzer

    Microsoft only said so between the lines, but they just did a bad job writing a fuzzing template for .ANI. I wouldn’t be surprised if they step up review of other fuzzing templates, especially those testing old code.

  • http://www.BeyondSecurity.com Aviram

    Somebody who spoke to me about that asked me why the fuzzing team in Microsoft didn’t just call the guys who wrote the .ANI handling module to ask them for a proper description of the file format.

  • http://www.tradeshowdirect.com Trade Show Display Salesman

    Why wouldn’t they just come out and admit it Larry?

  • http://www.BeyondSecurity.com Aviram

    I’m having a hard time figuring out if the above comment is a spambot or a real person.