ReFuzz — Structure Aware Fuzzing of the Resilient File System (ReFS)
Microsoft’s Resilient File System (ReFS) promises new features such as increased performance and resilience compared to NTFS. On the downside, the ReFS drivers are growing more extensive and more complex, increasing the attack surface of the Windows kernel. Attackers can often use security-critical bugs in file system drivers to escalate privileges just by mounting a file system. In this work, we present ReFuzz, a structure-aware fuzzer that uses hardware-assisted code coverage to identify bugs in the ReFS driver. The ReFS file system offers several challenges to fuzzing because first, while ReFS is not documented, it exhaustively uses checksums. And second, the minimal size of a ReFS partition is 2GB, notably decreasing the performance of naive fuzzing approaches.
We demonstrate the effectiveness of our fuzzing approach by finding 27 unique payloads that panic the Windows kernel when mounting or accessing ReFS partitions. Furthermore, we find 162 unique payloads that lead to a system hang-up. Microsoft confirmed those bugs assigning eight CVE allowing remote code execution attacks.
Slides: tba (presented at ACM AsiaCCS 2022, Nagasaki, Japan)
With this research, we implemented a fuzzing framework (based on kAFL) to specifically fuzzy test the Microsoft ReFS driver. Therefore we developed the following tools:
- Extension of kAFL with a second fuzzing dimension and other changes to be able to fuzzy test ReFS
- Python module called “ReFS Mutator”, which takes the modified payload and corrects the checksums and optionally duplicate tables
- Python software “Metadata Extractor” which extracts all metadata and information to correct the checksums and transfer the metadata back to a full ReFS image
Get the Code
Please download the three above-mentioned ZIP archives, extract them, and follow the install instructions of every included README.md. After installing all three components you can start your first fuzzing run as detailed in the refuzz/README.md.
You can start your first fuzzing run by using the ReFS image and extracted artifacts we provide in this archive: data.zip This image was also used to find the vulnerabilities listed bellow. To use your own ReFS image use the Metadata Extractor.
|Image||Crash Code||Action to Crash||CVE|
|panic_1.vhd||0x50, 0x149||open two folders and a file||CVE-2022-21928|
|panic_6.vhd||0x50||mount file system||CVE-2022-21958|
|panic_15.vhd||0x50, 0x149||open folder||CVE-2022-21958|
|panic_16.vhd||0x50, 0x149||open folder or mount file system||CVE-2022-21958|
|panic_23.vhd||0x50, 0x149||mount file system||CVE-2022-21958|
|panic_24.vhd||0x149||mount file system||CVE-2022-21958|
|panic_14.vhd||0x50, 0x149||open folder||CVE-2022-21961|
|panic_2.vhd||0x139, 0x149||open file||CVE-2022-21962|
|panic_18.vhd||0x50, 0x139, 0x149||open file||CVE-2022-21962|
|panic_25.vhd||0x50||mount file system||CVE-2022-21963|
All vulnerabilities were discovered by using our ReFuzz framework and as the initial data set the before mentioned data.zip. The referenced payloads in the table above are included together with the expanded full-sized images here: results.zip