ReFuzz — Structure Aware Fuzzing of the Resilient File System (ReFS)
Abstract
Microsoft’s Resilient File System (ReFS) promises new features such as increased performance and resilience compared to NTFS. On the downside, the ReFS drivers are growing more extensive and more complex, increasing the attack surface of the Windows kernel. Attackers can often use security-critical bugs in file system drivers to escalate privileges just by mounting a file system. In this work, we present ReFuzz, a structure-aware fuzzer that uses hardware-assisted code coverage to identify bugs in the ReFS driver. The ReFS file system offers several challenges to fuzzing because first, while ReFS is not documented, it exhaustively uses checksums. And second, the minimal size of a ReFS partition is 2GB, notably decreasing the performance of naive fuzzing approaches.
We demonstrate the effectiveness of our fuzzing approach by finding 27 unique payloads that panic the Windows kernel when mounting or accessing ReFS partitions. Furthermore, we find 162 unique payloads that lead to a system hang-up. Microsoft confirmed those bugs assigning eight CVE allowing remote code execution attacks.
Paper: ReFuzz (by Tobias Groß, Tobias Schleier and Tilo Müller)
Slides: tba (presented at ACM AsiaCCS 2022, Nagasaki, Japan)
Dr.-Ing. Tobias Groß
Department of Computer Science
Chair of Computer Science 1 (IT Security Infrastructures)
- Email: tobias.gross@cs.fau.de
Implemented Tools
With this research, we implemented a fuzzing framework (based on kAFL) to specifically fuzzy test the Microsoft ReFS driver. Therefore we developed the following tools:
- Extension of kAFL with a second fuzzing dimension and other changes to be able to fuzzy test ReFS
- Python module called “ReFS Mutator”, which takes the modified payload and corrects the checksums and optionally duplicate tables
- Python software “Metadata Extractor” which extracts all metadata and information to correct the checksums and transfer the metadata back to a full ReFS image
Get the Code
- ReFuzz: refuzz.zip
- ReFS Mutator: refs-mutator.zip
- ReFS Extractor: refs-metadata-extractor.zip
Installation
Please download the three above-mentioned ZIP archives, extract them, and follow the install instructions of every included README.md. After installing all three components you can start your first fuzzing run as detailed in the refuzz/README.md.
Test Data
You can start your first fuzzing run by using the ReFS image and extracted artifacts we provide in this archive: data.zip This image was also used to find the vulnerabilities listed bellow. To use your own ReFS image use the Metadata Extractor.
Trophies
| Image | Crash Code | Action to Crash | CVE |
|---|---|---|---|
| panic_3.vhd | 0x149 | open folder | CVE-2022-21892 |
| panic_5.vhd | 0x149 | open folder | CVE-2022-21892 |
| panic_13.vhd | 0x149 | open folder | CVE-2022-21892 |
| panic_17.vhd | 0x139 | open folder | CVE-2022-21892 |
| panic_20.vhd | 0x149 | open folder | CVE-2022-21892 |
| panic_21.vhd | 0x149 | open folder | CVE-2022-21892 |
| panic_1.vhd | 0x50, 0x149 | open two folders and a file | CVE-2022-21928 |
| panic_4.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_6.vhd | 0x50 | mount file system | CVE-2022-21958 |
| panic_7.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_8.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_9.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_12.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_15.vhd | 0x50, 0x149 | open folder | CVE-2022-21958 |
| panic_16.vhd | 0x50, 0x149 | open folder or mount file system | CVE-2022-21958 |
| panic_19.vhd | 0x149 | open folder | CVE-2022-21958 |
| panic_23.vhd | 0x50, 0x149 | mount file system | CVE-2022-21958 |
| panic_24.vhd | 0x149 | mount file system | CVE-2022-21958 |
| panic_10.vhd | 0x1E | open folder | CVE-2022-21959 |
| panic_11.vhd | 0x149 | open folder | CVE-2022-21960 |
| panic_14.vhd | 0x50, 0x149 | open folder | CVE-2022-21961 |
| panic_27.vhd | 0x50 | open file | CVE-2022-21961 |
| panic_29.vhd | 0x50 | open file | CVE-2022-21961 |
| panic_2.vhd | 0x139, 0x149 | open file | CVE-2022-21962 |
| panic_18.vhd | 0x50, 0x139, 0x149 | open file | CVE-2022-21962 |
| panic_22.vhd | 0x50 | open folder | CVE-2022-21963 |
| panic_25.vhd | 0x50 | mount file system | CVE-2022-21963 |
All vulnerabilities were discovered by using our ReFuzz framework and as the initial data set the before mentioned data.zip. The referenced payloads in the table above are included together with the expanded full-sized images here: results.zip