This is the very long tale of my adventures in fuzzing FastCGI with AFL-Fuzz. If you’re interested in fuzzing a FastCGI binary, look no further.

What is FastCGI?

FastCGI is a binary protocol. In most cases a user interacts with a web server such as nginx or lighttpd, which in turn communicates with FastCGI through a named pipe or TCP connection. FastCGI then executes code.

Why FastCGI?

I had access to a binary written in C/C++ which used FastCGI. In fact, FastCGI is used in almost every embedded device. The most popular version is FCGI 2.4.0 by OpenMarket, which is 17 years old.

There is also no documentation or research regarding fuzzing FastCGI(except this one).

FastCGI Requests

According to RFC 3875, a FCGX_Request is mainly two parts:

• envp: The envp is full of meta-variables, some of which are user controlled, others aren’t. The web server may or may not URL encode some of these meta-variables
• params: 100% user controlled and not modified

You can’t just send HTTP Requests to FastCGI, it’s a binary protocol. The hexdump of a FastCGI request looks like this:

Top = envp. Bottom = params

The above request was captured during research by copying the named pipe, and using socat to intercept requests using the following command:

socat -t100 -v -x UNIX-LISTEN:fcgi_sock,mode=777,reuseaddr,fork UNIX-CONNECT:fcgi_sock2,raw

#iot #security #hacking