commit 15a2dc79c34c2a9d6634f1a92b12d44f4b62bbcd
parent b1f06a9be6f682a9d0325fd6b790bb24aa2d8745
Author: Louis Burda <quent.burda@gmail.com>
Date: Tue, 1 Jun 2021 23:37:10 +0200
update readme with flagstore 2 info and some fixes
Diffstat:
1 file changed, 41 insertions(+), 26 deletions(-)
diff --git a/documentation/README.md b/documentation/README.md
@@ -29,24 +29,19 @@ RCE Countermeasures
It is good practice to take preventitive measures against unintentional RCE,
which can be used to cause havoc on vulnboxes and make services go mumble.
-1. Enable additional security features via flags during compilation:
+For this reason, additional security features are enabled via compilation flags:
- `CFLAGS = -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2`
+`CFLAGS = -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2`
- - `-fPIE`: enable position independent executable section
- - `-fstack-protector-strong`: enable stack canaries in functions with local variables that are prone to overflow
- - `-D_FORTIFY_SOURCE=2`: gcc buffer overflow detection
- - `-O2`: enable level 2 of compiler optimizations (required for `_FORITFY_SOURCE`)
+- `-fPIE`: enable position independent executable section
+- `-fstack-protector-strong`: enable stack canaries in functions with local variables that are prone to overflow
+- `-D_FORTIFY_SOURCE=2`: gcc buffer overflow detection
+- `-O2`: enable level 2 of compiler optimizations (required for `_FORITFY_SOURCE`)
- `LDFLAGS = -Wl,-z,now -Wl,-z,relro`
+`LDFLAGS = -Wl,-z,now -Wl,-z,relro`
- - `-Wl,-z,now`: tell dynamic linker to resolve symbols ASAP instead of lazy loading
- - `-Wl,-z,relro`: tell dynamic linker to make `got` section read-only after resolving symbols
-
-2. Chroot each service instance via socat so it can only access
- uploaded files and not corrupt the system.
-
-3. Prevent the service binary from creating child processes.
+- `-Wl,-z,now`: tell dynamic linker to resolve symbols ASAP instead of lazy loading
+- `-Wl,-z,relro`: tell dynamic linker to make `got` section read-only after resolving symbols
Checker
@@ -174,18 +169,21 @@ Exploiting
----------
1. Open a session
-2. Use `upload` to upload an STL file and specify a model name ending in `0xff`
+2. Run `upload` to upload an STL file and specify a model name ending in `0xff`
3. Open a new session
-4. Use `search` with the same model name from **step 1** to retrieve to load the
- parsed information of the file you just uploaded
-5. Use `search` again.. this will now use the cached hash which should be empty,
- allowing you to accesss any of the files uploaded by unregistered users
+4. Run `search` with the same model name from **step 1** to load the parsed
+ information from the `info` file and trigger the truncation
+5. Run `search last` to use the cached hash which should be empty,
+ allowing you to accesss any files uploaded by unregistered users
+
+See the `exploit` method of the checker in `checker/src/checker.py`
+for an implementation in python.
Patching
--------
-For an example fix, see the unified format patch `services/src/patches/flagstore1.diff`.
+For an example fix, see the unified format patch `src/patches/flagstore1.diff`.
Vuln 2: Invalid Format String
@@ -252,24 +250,41 @@ because most of them only detect overflows on the *stack*.
Since overwriting the global `loggedin` variable gives you
permission to use the `list` command and the `resultdir` has
-not changes (as is usually the case using `auth`), the attacker
+not changed (as is usually the case using `auth`), the attacker
can now list the hashes of all registered users.
-The next step is to reverse the mhash function using the respective
-hashes to log in as them and query information about the files.
+The next step is to find a valid preimage for the hashes obtained
+previously, to log in as them and query information about their files.
+
+To calculate the preimage we choose a seed for srand at random. Then
+we XOR the values encoded in the hex-encoded with calls to rand().
+If the sum of the generated values is greated than the seed we used,
+restart. Otherwise, append some characters to make the sum match
+the seed like it does in mhash. The value of these 'extra' chars
+is irrelevant, since mhash only processes the first 20 chars anyways.
-TODO..
+See `checker/src/revhash/main.c` for an example implementation in C.
Exploiting
----------
-TODO..
+1. Open a session
+2. Run `search \xff\xff\xff\xff\xff000000000000000`
+ .. this is internally passed to mhash and overflows `loggedin`
+3. Run `list` to get list of account hashes
+4. For each hash:
+ - Compute hash preimage and authenticate with it
+ - Run `list` to view info
+
+
+See the `exploit` method of the checker in `checker/src/checker.py`
+for an implementation in python.
Patching
--------
-For an example fix, see the unified format patch `services/src/patches/flagstore2.diff`.
+For an example fix, see the unified format patch `src/patches/flagstore2.diff`.