CVE-2023-26266
📋 TL;DR
This vulnerability in AFL++ 4.05c allows attackers to execute arbitrary code by exploiting the CmpLog component's use of the current working directory to resolve unprefixed fuzzing targets. Anyone using AFL++ for fuzzing with CmpLog enabled is affected, particularly security researchers and developers performing security testing.
💻 Affected Systems
- AFLplusplus (AFL++)
📦 What is this software?
Afl\+\+ by Afl\+\+ Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the AFL++ process, potentially leading to complete control over the fuzzing environment and underlying system.
Likely Case
Local privilege escalation or arbitrary code execution within the fuzzing environment, allowing attackers to manipulate fuzzing results or compromise the testing infrastructure.
If Mitigated
Limited impact if proper directory permissions and process isolation are implemented, restricting the attacker to the fuzzing sandbox environment.
🎯 Exploit Status
Exploitation requires local access to the system running AFL++. The fix pull request demonstrates the exploitation method clearly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after the fix in pull request #1643
Vendor Advisory: https://github.com/AFLplusplus/AFLplusplus/pull/1643
Restart Required: Yes
Instructions:
1. Update AFL++ to a version that includes the fix from pull request #1643. 2. Recompile any fuzzing targets. 3. Restart fuzzing sessions with the updated AFL++ binary.
🔧 Temporary Workarounds
Disable CmpLog component
linuxTemporarily disable the vulnerable CmpLog component until patching is possible
afl-fuzz -c 0 ...
Use absolute paths for targets
linuxAlways specify absolute paths for fuzzing targets instead of relative paths
afl-fuzz -i input -o output /absolute/path/to/target @@
🧯 If You Can't Patch
- Run AFL++ in a restricted container or sandbox with minimal privileges
- Implement strict directory permissions and ensure AFL++ runs with least privilege
🔍 How to Verify
Check if Vulnerable:
Check if using AFL++ version 4.05c with CmpLog enabled. Run 'afl-fuzz --version' and verify CmpLog is available in the build.Check Version:
afl-fuzz --versionVerify Fix Applied:
Update to a version after the fix and test that relative path resolution no longer uses current working directory for target execution.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from AFL++ working directory
- AFL++ spawning processes with unexpected command-line arguments
Network Indicators:
- Unusual outbound connections from AFL++ processes
SIEM Query:
process_name:afl-fuzz AND (process_args:*../* OR process_args:*./*)