slides.md (5069B)
1title: STLDoctor 2output: index.html 3controls: false 4 5-- 6 7<style> 8 9.footnote { 10 font-size: 16pt; 11 position: absolute; 12 color: gray; 13 bottom: 0px; 14 right: 0px; 15} 16 17.slide-content { 18 position: relative; 19} 20 21.slide-content > ul >li { 22 padding: 7px 0px; 23} 24 25.slide-content > p > img { 26 width: 100%; 27} 28 29</style> 30 31-- 32 33<!-- Recap of the service and the problems I 34encountered preparing for the CTF and during the CTF --> 35 36# STLDoctor 💉 37 38-- 39 40### Index 🗄️ 41 42- Service recap 43- Optimization 44- ENOWARS 5 45- Reflection 46 47-- 48 49### Refreshing Memories 💾 50 51- Plaintext service written in C 52- Users upload STL files for parsing 53- Private and public storage (2 flagstores) 54- 1. Vuln: Deserialization 55- 2. Vuln: Hash preimage 56 57<img style="width:300px !important; height:240px; position:absolute; bottom:80px; right:70px;" src="media/stldoc.png"> 58 59-- 60 61### Since Last Meeting ⏩ 62 63<!-- Of these three, we want to take a closer look 64at the performance improvements necessary --> 65 66- Performance improvements 67- Added service fluff 68 69<img id=img1 src="media/stl1.png"> 70<img id=img2 src="media/stl2.png"> 71<img id=img3 src="media/stl3.png"> 72 73<style> 74 #img1 { 75 position: absolute; 76 left: 2.5%; 77 bottom: 7%; 78 width: 30%; 79 } 80 #img2 { 81 position: absolute; 82 left: 35%; 83 bottom: 7%; 84 width: 30%; 85 } 86 #img3 { 87 position: absolute; 88 left: 67.5%; 89 bottom: 7%; 90 width: 30%; 91 } 92</style> 93 94-- 95 96### Issues 😒 97 98<!-- since there were some slow io operations and 99either memory leak issues with pwnlib (witout patch) 100or engine request issues with the patch, 101sooo I decided to refactor to use enochecker3 for asyncio 102 103also noticed that I was checking the same thing multiple times 104in the checker, so tried to condense functionality --> 105 106- Slow search / list operations 107- Enochecker memory leak without patch 108- Engine error on worker restart with patch 109- Logs not showing up in ELK 110 111-- 112 113### Solutions 💡 114 115- Index files with locks for directory listing 116- Refactored checker for asyncio 117- Condensed checker functionality 118- Increase docker-compose log size 119 120-- 121 122# ENOWARS 5 123 124-- 125 126### OSError 💢 127 128- Checker throws `INTERNAL_ERROR` on bad connection 129- Fixed in c97789ad.. of enochecker3 130 131<img style="" src="media/stldoc_dead_offline.png"> 132 133-- 134 135### Checker Overload 💥 136 137<!-- all of a sudden all checker tasks are being aborted. 138Since all tasks were aborted, all workers must be affected 139and a blockage of a single worker could not have been the 140cause.. 141During the ctf we found the checker at high load.. 142Suspected that OFFLINE/unresponsive teams could be slowing 143down the service since then the timeouts are too large and the 144queue couldnt be emptied fast enough --> 145 146- Checker tasks being aborted for every team 147 148<img style="height: 80%" src="media/stldoc_dead_r432.png"> 149 150-- 151 152### Checker Overload 💥 153 154<!-- MEME CREDIT: Liikt --> 155<img style="height: 80%" src="media/stldoc_dead.png"> 156 157-- 158 159### Anomaly 👽 160 161<!-- service didnt timeout except on vulnboxes where everything 162seemed to be running weirdly, so unsure how to debug --> 163 164<img style="" src="media/enowars5-timeout.png"> 165 166-- 167 168### Feedback 🤔 169 170- 1. flagstore exploited after ~4h (R190) 171- 2. flagstore not exploited 172 173<!-- MEME CREDIT: [KuK] cluosh --> 174<img style="position:absolute; right:0px; height:300px; width:450px" src="media/player-meme-struggling.png"> 175<img style="position:absolute; left:0px; height:300px; width: 400px;" src="media/player-meme-hashfunc.png"> 176 177-- 178 179### Conclusion 🎉 180 181- Relatively good uptime 182- Not too easy / hard 183- Users found vulns interesting 184- No (known) unintended vuln 185- Had a lot of fun 186 187-- 188 189-- 190 191### Slow IO 🐌 192 193<!-- Noticed that running 'ls' on the service upload directory 194takes very long 195implementation in e.g. glibc actually pretty sane (see end slides) 196but bad cache performance / buffer not used / docker overlay fs --> 197 198- Enumerating files in a directory is expensive 199- Index file per directory containing file names 200- File locks to ensure exclusive writes 201 202<img style="position:absolute; bottom: 30%; left:10%; width: 70% !important;" src="media/dirlist.png"> 203 204-- 205 206### Investigating `readdir(..)` 🔍 207 208<!-- What makes readdir slow? actually looks like a sane implementation. 209We buffer an amount of entries and rebuffer when we run out. 210My guess is that we can buffer more with a regular file (also we have the choice). 211Better cache performance? 212Although the read is from one location, is probably just an abstraction 213Source: GLIBC 2.0.2--> 214 215`__readdir(..)`: 216 217<img style="" src="media/readdir.png"> 218 219-- 220 221### Investigating `readdir(..)` 🔍 222 223`__get_dir_entries(..)`: 224 225<img style="" src="media/getdirentries.png"> 226 227-- 228 229### Checker Overload 230 231<img style="" src="media/stldoc_dead_r17.png"> 232 233-- 234 235### Checker Overload 236 237<img style="" src="media/stldoc_dead_r469.png"> 238 239-- 240 241 242 243 244 245<script> 246 // var slide_headers = document.querySelectorAll(".slide-content > h3"); 247 // for (var i = 0; i < slide_headers.length; i++) { 248 // var img = document.createElement('img') 249 // img.src = "logo.png"; 250 // img.style = "height: 2.4ex; padding-right: 10px; float:right"; 251 // slide_headers[i].append(img); 252 // } 253</script>