enowars5-service-stldoctor

STL-Analyzing A/D Service for ENOWARS5 in 2021
git clone https://git.sinitax.com/sinitax/enowars5-service-stldoctor
Log | Files | Refs | README | LICENSE | sfeed.txt

commit 15a2dc79c34c2a9d6634f1a92b12d44f4b62bbcd
parent b1f06a9be6f682a9d0325fd6b790bb24aa2d8745
Author: Louis Burda <quent.burda@gmail.com>
Date:   Tue,  1 Jun 2021 23:37:10 +0200

update readme with flagstore 2 info and some fixes

Diffstat:
Mdocumentation/README.md | 67+++++++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 41 insertions(+), 26 deletions(-)

diff --git a/documentation/README.md b/documentation/README.md @@ -29,24 +29,19 @@ RCE Countermeasures It is good practice to take preventitive measures against unintentional RCE, which can be used to cause havoc on vulnboxes and make services go mumble. -1. Enable additional security features via flags during compilation: +For this reason, additional security features are enabled via compilation flags: - `CFLAGS = -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2` +`CFLAGS = -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2` - - `-fPIE`: enable position independent executable section - - `-fstack-protector-strong`: enable stack canaries in functions with local variables that are prone to overflow - - `-D_FORTIFY_SOURCE=2`: gcc buffer overflow detection - - `-O2`: enable level 2 of compiler optimizations (required for `_FORITFY_SOURCE`) +- `-fPIE`: enable position independent executable section +- `-fstack-protector-strong`: enable stack canaries in functions with local variables that are prone to overflow +- `-D_FORTIFY_SOURCE=2`: gcc buffer overflow detection +- `-O2`: enable level 2 of compiler optimizations (required for `_FORITFY_SOURCE`) - `LDFLAGS = -Wl,-z,now -Wl,-z,relro` +`LDFLAGS = -Wl,-z,now -Wl,-z,relro` - - `-Wl,-z,now`: tell dynamic linker to resolve symbols ASAP instead of lazy loading - - `-Wl,-z,relro`: tell dynamic linker to make `got` section read-only after resolving symbols - -2. Chroot each service instance via socat so it can only access - uploaded files and not corrupt the system. - -3. Prevent the service binary from creating child processes. +- `-Wl,-z,now`: tell dynamic linker to resolve symbols ASAP instead of lazy loading +- `-Wl,-z,relro`: tell dynamic linker to make `got` section read-only after resolving symbols Checker @@ -174,18 +169,21 @@ Exploiting ---------- 1. Open a session -2. Use `upload` to upload an STL file and specify a model name ending in `0xff` +2. Run `upload` to upload an STL file and specify a model name ending in `0xff` 3. Open a new session -4. Use `search` with the same model name from **step 1** to retrieve to load the - parsed information of the file you just uploaded -5. Use `search` again.. this will now use the cached hash which should be empty, - allowing you to accesss any of the files uploaded by unregistered users +4. Run `search` with the same model name from **step 1** to load the parsed + information from the `info` file and trigger the truncation +5. Run `search last` to use the cached hash which should be empty, + allowing you to accesss any files uploaded by unregistered users + +See the `exploit` method of the checker in `checker/src/checker.py` +for an implementation in python. Patching -------- -For an example fix, see the unified format patch `services/src/patches/flagstore1.diff`. +For an example fix, see the unified format patch `src/patches/flagstore1.diff`. Vuln 2: Invalid Format String @@ -252,24 +250,41 @@ because most of them only detect overflows on the *stack*. Since overwriting the global `loggedin` variable gives you permission to use the `list` command and the `resultdir` has -not changes (as is usually the case using `auth`), the attacker +not changed (as is usually the case using `auth`), the attacker can now list the hashes of all registered users. -The next step is to reverse the mhash function using the respective -hashes to log in as them and query information about the files. +The next step is to find a valid preimage for the hashes obtained +previously, to log in as them and query information about their files. + +To calculate the preimage we choose a seed for srand at random. Then +we XOR the values encoded in the hex-encoded with calls to rand(). +If the sum of the generated values is greated than the seed we used, +restart. Otherwise, append some characters to make the sum match +the seed like it does in mhash. The value of these 'extra' chars +is irrelevant, since mhash only processes the first 20 chars anyways. -TODO.. +See `checker/src/revhash/main.c` for an example implementation in C. Exploiting ---------- -TODO.. +1. Open a session +2. Run `search \xff\xff\xff\xff\xff000000000000000` + .. this is internally passed to mhash and overflows `loggedin` +3. Run `list` to get list of account hashes +4. For each hash: + - Compute hash preimage and authenticate with it + - Run `list` to view info + + +See the `exploit` method of the checker in `checker/src/checker.py` +for an implementation in python. Patching -------- -For an example fix, see the unified format patch `services/src/patches/flagstore2.diff`. +For an example fix, see the unified format patch `src/patches/flagstore2.diff`.