Network · C

How to fuzz libssh2

PHP and curl use libssh2 for SFTP — a channel overflow here is remotely exploitable.

libssh2 is the SSH client library used by PHP, curl, and many network management tools. Its channel multiplexing and packet reassembly logic maintains per-channel state with hand-crafted buffer arithmetic, and its key exchange negotiation processes server-supplied algorithm lists without strict length guards.

Common bug classes

•Heap buffer overflow in SSH channel extended data reassembly
•Integer overflow in key exchange algorithm list length
•Out-of-bounds read in RSA/DSA hostkey blob parsing
•Use-after-free in channel close/EOF race condition
•Null dereference on server-initiated algorithm renegotiation

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <libssh2.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  libssh2_init(0);
  /* Import a public key from raw bytes */
  libssh2_knownhosts *kh = NULL;
  /* Use hostkey decode as a representative parser entry point */
  size_t key_len = size;
  int type = 0;
  libssh2_hostkey_hash_sha256_decode(data, size);
  (void)kh; (void)key_len; (void)type;
  libssh2_exit();
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2019-3855
→ CVE-2019-3856

Start fuzzing libssh2 on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.