← All libraries
Network · C
How to fuzz libssh
A server-side SSH implementation in C — a parse bug here means pre-auth remote code execution.
libssh is used as a server-side SSH implementation in several products. Its SSH binary packet protocol parser, key exchange state machine, and SFTP subsystem all process attacker-controlled data before authentication, making pre-authentication memory corruption especially severe.
Common bug classes
- •Heap buffer overflow in SSH banner string length parsing
- •Integer overflow in SSH_MSG_CHANNEL_DATA payload sizing
- •Out-of-bounds read in public key DER/PEM import
- •Authentication bypass via crafted SSH2_MSG_USERAUTH_REQUEST
- •Use-after-free in key re-exchange timeout handler
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
- → Honggfuzz
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <libssh/libssh.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
/* Fuzz the SSH key import path as a standalone entry point */
ssh_key key = NULL;
ssh_pki_import_pubkey_blob(data, size, &key);
if (key) ssh_key_free(key);
ssh_pki_import_privkey_blob(data, size, NULL, NULL, NULL, &key);
if (key) ssh_key_free(key);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2018-10933
Push the harness above + a Dockerfile. First month 50% off.