Hongfuzz vs. Apache httpd - FIGHT

Hi All, in keeping with the theme of quick iterative notes on wtf I’m up to here is how to get Hongfuzz up and running against apache http. The creators of Honggfuzz have wisely and kindly created a process for fuzzing. That means a lot of people have probably done it and it’s a “known” technique. However, I’ve always found that I think that about any 0-day hunting - “eh, someone has probably looked, I won’t spend my time on it”. Well, that’s how you miss bugs. Also not all fuzzers are deterministic, there’s always the chance that I generate better inputs than the last a**hole or that I have more CPU cores to leave it running for longer. Or maybe I’m wasting my time, but hey, then I know I wasted my time at least.

So check this out. That’s everything you need to get apache running under honggfuzz. Some quick notes on it: download the libs and build them, only use apt for the dependent libraries, you’re going to need to build them all and enter the path in several config files, so put your sh*t somewhere easy to find. I’ve noticed that there’s been an update to honggfuzz and an additional parameter was needed for me to get this running. Below is the full command:

../honggfuzz/honggfuzz -i corpus_http1/ -w httpd-2.4.46/httpd.wordlist --threads 10 -P -- ./bin/httpd -DFOREGROUND -f conf/httpd.conf.h1

YDMV (your directories may vary), but note the -P added here. This tells it to run in persistent mode. I’m not convinced this is working well yet, and I’ll be updating this post as I play with some of the options a bit more, but at least it runs. I’m getting way more timeouts than is reasonable (i’m at several hundred in just a few minutes), but at least no immediate crashes, which is expected on a hardened codebase like Apache httpds. I’ll keep you all posted on results!

So I went hunting for databases….

Huge shock, I found about 20+ from 2020 and another 20+ from 2019. This brings our total databases in scylla to about 290-300. and about 4.1 TB of data in JSON lines, one record per line. That’s a lotta data. Honestly is it even worth learning how to hack anymore?? Just kidding, I live for this shit. Anyway check out scylla.sh over the next few days for the data.