This is the very long tale of my adventures in fuzzing FastCGI with AFL-Fuzz. If you’re interested in fuzzing a FastCGI binary, look no further.
FastCGI is a binary protocol. In most cases a user interacts with a web server such as nginx or lighttpd, which in turn communicates with FastCGI through a named pipe or TCP connection. FastCGI then executes code.
I had access to a binary written in C/C++ which used FastCGI. In fact, FastCGI is used in almost every embedded device. The most popular version is FCGI 2.4.0 by OpenMarket, which is 17 years old.
There is also no documentation or research regarding fuzzing FastCGI(except this one).
According to RFC 3875, a FCGX_Request is mainly two parts:
You can’t just send HTTP Requests to FastCGI, it’s a binary protocol. The hexdump of a FastCGI request looks like this:
Top = envp. Bottom = params
The above request was captured during research by copying the named pipe, and using socat to intercept requests using the following command:
socat -t100 -v -x UNIX-LISTEN:fcgi_sock,mode=777,reuseaddr,fork UNIX-CONNECT:fcgi_sock2,raw
#iot #security #hacking