Thread by @moyix on Thread Reader App – Thread Reader App
Will nonetheless attempt to do a weblog publish on my @CSAW_NYUTandon CTF problem, NERV Heart, however for now here is a thread explaining the important thing mechanics. I put lots of work into the aesthetics, like this easter egg credit score sequence (all ANSI colours+unicode textual content) that incorporates key hints:
@CSAW_NYUTandon (Observe the karaoke subtitles timed to the credit on the backside 😁)
@CSAW_NYUTandon However IMO the person web page understates the severity of the issue. So what occurs for those who *do* attempt to monitor fds greater than 1024? Properly, the fd_set struct is only a bitset of 1024 bits (128 bytes). So making an attempt to watch fds bigger than 1024 will trigger reminiscence corruption!
@CSAW_NYUTandon And the actually cool half (to me) is {that a}) the corruption is bitwise, for the reason that information construction is a bitset, and b) the precise bits that will probably be written out of bounds depend upon the *state* of the file descriptors being monitored.
@CSAW_NYUTandon So if the fds correspond to, say, community connections, an attacker could make a lot of connections, prepare for them to be in simply the best state, and thereby get exact management over the bit sample that will get written.
@CSAW_NYUTandon choose() takes as much as three bitsets: readfds, writefds, and exceptfds, so every is inclined to this overflow. I made a decision to have the meant overflow happen on exceptfds.
@CSAW_NYUTandon Why? Two causes: 1) it is third within the argument checklist so it naturally could be the final one listed in, say, a struct; 2) the fd states will be managed extra simply—with TCP connections, exceptfds is used to point connections with pending TCP out-of-band (OOB) information.
@CSAW_NYUTandon So now the essential exploit technique is obvious: make greater than 1024 connections to the server, an ship TCP OOB information to those with fds greater than 1024 to set your required bit sample. However precisely what ought to get overwritten?
@CSAW_NYUTandon What are you able to do with the power to regulate the highest 64 bits of a 1024-bit RSA public key N? Properly, N = pq, which is difficult to issue. However the *corrupted* N’ could be very prone to be a product of a bunch of smaller primes—which is simple to issue!
@CSAW_NYUTandon (One of many gamers who solved the problem throughout CSAW CTF finals truly discovered a fair sweeter option to exploit this vuln: work out a bit sample that makes N *prime* and set that. Then the corresponding personal key d is simply: pow(65537, -1, n-1). Slick!)
@CSAW_NYUTandon Okay, however now on to the vital stuff: ~aesthetics~. The theme of the problem was based mostly round Episode 13 of Neon Genesis Evangelion, which options an Angel that hacks NERV’s MAGI supercomputer cluster.
@CSAW_NYUTandon I noticed that three computer systems within the MAGI cluster (Casper, Balthasar, and Melchior) correspond neatly to the three fd_sets readfds, writefds, and exceptds. So I used to be in a position to make a cute UI that exhibits the state of the fd_sets in real-time.
– The field on the best turns crimson when the very best FD is > 1024.
– The UI will get barely corrupted exactly when there’s precise reminiscence corruption occurring.
@CSAW_NYUTandon The entire visuals within the problem had been created utilizing plain unicode characters and ANSI colours, so you’ll be able to simply cat the textual content information to see them (or dump them over a community socket).
@CSAW_NYUTandon One other bit that took some work was making the problem constantly solvable. With choose(), you fill the fd_set with 1s, name choose, and the kernel fills the set with the precise fd state. However that signifies that 1/2 the time the secret’s corrupted by all 1s as an alternative of your bits!
@CSAW_NYUTandon Second, one variant of the problem I attempted bumped into an attention-grabbing problem. I thought-about byte-swapping the important thing in order that gamers may solely set the LSB. However it seems half of these keys are unusable, as a result of OpenSSL makes use of Montgomery multiplication, which requires an odd modulus.
@CSAW_NYUTandon @threadreaderapp unroll
• • •
Lacking some Tweet on this thread? You possibly can attempt to
force a refresh