Full Report
The author of the post was interested in binary only fuzzing via snapshots and fuzzing highly structured inputs. Given their requirements, they saw Trackmaina Nations Forever from 2008 to be a good target. To fuzz something, you need to write a harness to take in the fuzzing input and process it. Since the application uses XML-RPC over TCP, this is not trivial. Sockets are slow and messy. To get around this, the author takes a snapshot right before the processing of the XML-RPC message occurs. Then, they modify the memory location of the message by updating the size, the buffer and edit the session_object information to bypass auth. LibAFL is an amazing for building these types of fuzzers. There is a magic qemu launcher that is used for fuzzing this, which can be used for the snapshot functionality. To generate XML messages, they use Nautilus. The author links to some good resources for getting this working. To fuzz the XML input, we need to ensure it has a valid XML message. The XML-RPC protocol is well defined by Trackmania, luckily. Additionally, we can reverse engineer the application to find out more messages that can be sent. The fuzzer more so fuzzes the inputs within the XML tags than the XML itself. For instance, the first rule for Nautilus includes the content {METHOD_CALL} with a small substitution in it for the method call ({METHOD_CALL}). All other inputs are done in a similar fashion, with only small substitutions done for the values within the XML. After setting up the grammar by adding rules with Nautilus and setting up some test inputs, they fuzzed the application. Additionally, they setup a repro mode that does the same thing as the fuzzer but only for a single input. From fuzzing, they instantly found a bunch of format string bugs! More on this in part 2. They patched the format string bug, which was simply in a logging function, in order to find other bugs. This was done by a simple memory write to the QEMU process. Besides the format string bug, they found a few other crashes. Their favorite bug was an issue where the spectators could be forced to look at a specific player. By forcing the game into a freecam on all of the spectators, it hits an edge case that causes a crash. Pretty interesting edge case that was found! Overall, awesome post on snapshot binary fuzzing, which I didn't have much experience in.
Analysis Summary
# Tool/Technique: Binary-Only Snapshot Fuzzing via LibAFL
## Overview
This summarizes the methodology used to fuzz the **Trackmania Nations Forever (TMNF)** server by employing binary-only snapshot fuzzing, specifically targeting its **XML-RPC over TCP** interface. The goal was to explore vulnerabilities (like format string bugs and crashes) in highly structured input processing without needing source code or complex socket interaction during the fuzz loop.
## Technical Details
- Type: Tool / Technique
- Platform: Linux (Target application/server binary)
- Capabilities: Binary instrumentation/emulation for snapshotting, memory manipulation for harness logic, structured input fuzzer integration (grammar-based).
- First Seen: The specific implementation hinges on the date of the article (October 5, 2022) and the use of existing frameworks like LibAFL and QEMU.
## MITRE ATT&CK Mapping
The focus here is on initial access/discovery rather than pure exploitation, though resulting bugs could lead to execution.
- **T1587 - Develop Capabilities** (As the author builds a custom fuzzer)
- **T1587.002 - Develop Capabilities: Tools**
- **T1608 - Identify and Target: Vulnerabilities** (The process is designed to find vulnerabilities)
- **T1608.001 - Identify and Target: Vulnerabilities: Software Vulnerabilities**
- **T1499 - Application Layer Protocol:** Used when interacting with XML-RPC over TCP.
## Functionality
### Core Capabilities
- **Binary-Only Fuzzing:** Utilizes snapshotting to efficiently re-isolate the target application state before input processing, avoiding slow socket setup per fuzz iteration.
- **Harness Development:** A custom harness was built to manage the snapshot workflow around the XML-RPC message processing point. The loop involves: Running server -> Snapshot -> Restore snapshot -> Inject input into memory -> Continue execution.
- **Memory Injection:** The harness modifies memory locations (size, buffer, session object data) to inject the fuzz input directly into the deserialization location and bypass authentication checks, turning the network service into a localized input processor.
- **Grammar Fuzzing (Nautilus):** Used to generate highly structured XML-RPC messages based on a defined grammar.
- **Input Fuzzing Focus:** The fuzzer primarily mutated the values *within* the defined XML tags/structure, rather than fuzzing the XML formatting itself.
### Advanced Features
- **Snapshot Magic Launcher (QEMU):** A specific QEMU launcher was employed to facilitate the snapshot functionality required for memory manipulation and rapid state restoration.
- **Authentication Bypass:** Manually editing memory structures (`session_object` information) during the snapshot restoration phase was used to bypass authentication required by the XML-RPC endpoint.
- **Repro Mode:** A specific mode was set up to replay a single crashing input identically to the fuzzer loop for easier debugging.
- **Bug Patching for Deeper Analysis:** A format string bug was detected, patched via a direct memory write to the QEMU process, allowing the continuous fuzzing process to proceed to find subsequent bugs (like an edge-case crash related to spectator freecam).
## Indicators of Compromise
Since this involves a testing setup against a legitimate application (Trackmania Nations Forever), there are no typical adversary IoCs provided. The identified vulnerabilities are the output artifacts:
- File Hashes: SHA256 for reference version: `2402c87885c3a44b6e8500d06b052bfc9c4159b3239dd0eab8424b98d52ed4d1` (TmForever v2011-02-21)
- File Names: `TmForever` server binary.
- Network Indicators: None specific to malware.
- Behavioral Indicators: Application crashes (e.g., exceptions caused by format string misuse or logic errors triggered by crafted spectator commands).
## Associated Threat Actors
No specific threat actors mentioned. The work performed is focused on defensive research and vulnerability discovery against a legacy game server.
## Detection Methods
Detection would generally apply to the vulnerabilities found, or monitoring instrumentation on the target process:
- **Signature-based detection:** Potential signatures for the format string misuse (`printf` vulnerabilities could be flagged by static analysis or execution monitoring if the format string differs from expected inputs).
- **Behavioral detection:** Monitoring for unexpected process termination or unusual memory state changes indicative of post-snapshot argument injection.
## Mitigation Strategies
Based on the findings:
- **Input Validation:** Implement strict validation on all XML-RPC inputs, especially values within tags.
- **Secure Logging:** Ensure secure formatting strings are used (avoiding user input directly in format arguments) to prevent Format String Vulnerabilities.
- **Protocol Hardening:** Correctly handling states and game logic, such as game version checks when processing spectator commands, to prevent edge-case crashes.
- **Firewalling:** Restricting potentially dangerous administrative interfaces like the XML-RPC port to trusted hosts (as mentioned by the author).
## Related Tools/Techniques
- **LibAFL:** The primary fuzzing framework used for execution management.
- **QEMU:** Utilized specifically for its dynamic instrumentation/emulation features, enabling the snapshotting capability.
- **AFL++:** Mentioned as a typical starting point for standard fuzzing, contrasting with the structured, snapshot approach used here.
- **Nautilus:** A tool specifically used here for generating the structured grammar input for fuzzing (XML-RPC messages).
- **Snapshot Fuzzing:** A general technique for fast binary analysis, often seen in environments like hardware emulation or complex applications where clean state restoration is crucial.