Now Reading
Thread by @moyix on Thread Reader App – Thread Reader App

Thread by @moyix on Thread Reader App – Thread Reader App

2023-11-11 13:59:39

Brendan Dolan-Gavitt Profile picture

Will nonetheless attempt to do a weblog publish on my @CSAW_NYUTandon CTF problem, NERV Heart, however for now here is a thread explaining the important thing mechanics. I put lots of work into the aesthetics, like this easter egg credit score sequence (all ANSI colours+unicode textual content) that incorporates key hints:

@CSAW_NYUTandon (Observe the karaoke subtitles timed to the credit on the backside 😁)

@CSAW_NYUTandon First, the vulnerability. Should you learn the person web page for choose(), you will see this warning: choose() is proscribed to monitoring file descriptors numbered lower than 1024. However trendy techniques can have many extra open information, and importantly the kernel choose() interface is NOT restricted. DESCRIPTION  WARNING: select() can monitor only file descriptors numbers  that  are  less than  FD_SETSIZE  (1024)—an  unreasonably low limit for many modern applications—and this limitation will not change.  All modern  applications  should instead use poll(2) or epoll(7), which do not suffer this limitation.

@CSAW_NYUTandon However IMO the person web page understates the severity of the issue. So what occurs for those who *do* attempt to monitor fds greater than 1024? Properly, the fd_set struct is only a bitset of 1024 bits (128 bytes). So making an attempt to watch fds bigger than 1024 will trigger reminiscence corruption!

@CSAW_NYUTandon And the actually cool half (to me) is {that a}) the corruption is bitwise, for the reason that information construction is a bitset, and b) the precise bits that will probably be written out of bounds depend upon the *state* of the file descriptors being monitored.

@CSAW_NYUTandon So if the fds correspond to, say, community connections, an attacker could make a lot of connections, prepare for them to be in simply the best state, and thereby get exact management over the bit sample that will get written.

@CSAW_NYUTandon (Aspect word: I found this as a result of very outdated variations of QEMU—together with the one utilized by our PANDA 1.0-based malware sandbox—had this bug and visitors may set off it within the SLIRP consumer mode networking by making a lot of connections. Yikes! )bugzilla.redhat.com/show_bug.cgi?i…

@CSAW_NYUTandon choose() takes as much as three bitsets: readfds, writefds, and exceptfds, so every is inclined to this overflow. I made a decision to have the meant overflow happen on exceptfds.

@CSAW_NYUTandon Why? Two causes: 1) it is third within the argument checklist so it naturally could be the final one listed in, say, a struct; 2) the fd states will be managed extra simply—with TCP connections, exceptfds is used to point connections with pending TCP out-of-band (OOB) information.

@CSAW_NYUTandon So now the essential exploit technique is obvious: make greater than 1024 connections to the server, an ship TCP OOB information to those with fds greater than 1024 to set your required bit sample. However precisely what ought to get overwritten?

@CSAW_NYUTandon That is when this problem moved from simply Pwn to Pwn+Crypto 😀 I made a decision to position an RSA public key used for ssh-style problem/response auth proper after the exceptfds bitset, so you’ll be able to management the higher 64 bits utilizing the vuln. Image

@CSAW_NYUTandon What are you able to do with the power to regulate the highest 64 bits of a 1024-bit RSA public key N? Properly, N = pq, which is difficult to issue. However the *corrupted* N’ could be very prone to be a product of a bunch of smaller primes—which is simple to issue!

@CSAW_NYUTandon I first discovered of this trick from the tremendous cool USENIX Safety 2016 paper Flip Feng Shui by Kaveh Razavi, @bjg et al., who used it along with RowHammer and reminiscence deduplication to bypass SSH authentication. usenix.org/conference/use…
Image

@CSAW_NYUTandon (One of many gamers who solved the problem throughout CSAW CTF finals truly discovered a fair sweeter option to exploit this vuln: work out a bit sample that makes N *prime* and set that. Then the corresponding personal key d is simply: pow(65537, -1, n-1). Slick!)

@CSAW_NYUTandon As soon as you’ve got factored the important thing (or made it prime) and discovered the key key d for the corrupted public key, you should use it to forge signatures and bypass the authentication, permitting you to obtain the flag (encrypted with RSA+AES-256-GCM). Image

@CSAW_NYUTandon Okay, however now on to the vital stuff: ~aesthetics~. The theme of the problem was based mostly round Episode 13 of Neon Genesis Evangelion, which options an Angel that hacks NERV’s MAGI supercomputer cluster.

@CSAW_NYUTandon I noticed that three computer systems within the MAGI cluster (Casper, Balthasar, and Melchior) correspond neatly to the three fd_sets readfds, writefds, and exceptds. So I used to be in a position to make a cute UI that exhibits the state of the fd_sets in real-time.

@CSAW_NYUTandon Apart from being my finest try at recreating the UI from the present (pictured right here), the UI components even have some key clues to the vulnerability. Image
@CSAW_NYUTandon – The CODE discipline exhibits the very best file descriptor in use, and the EXTENTION (sic) exhibits the server’s max fd ulimit.
– The field on the best turns crimson when the very best FD is > 1024.
– The UI will get barely corrupted exactly when there’s precise reminiscence corruption occurring. Image

@CSAW_NYUTandon The entire visuals within the problem had been created utilizing plain unicode characters and ANSI colours, so you’ll be able to simply cat the textual content information to see them (or dump them over a community socket).

@CSAW_NYUTandon The credit score sequence was made with some slightly, uh, “tough and prepared” strategies.
@CSAW_NYUTandon The code for credit era can be out there, although it isn’t what I’d name production-quality github.com/moyix/csaw23_n…
@CSAW_NYUTandon Lastly, a bit on the mechanics of growing this problem. First, it ended up being slightly lots of C code, so I used to be tremendous apprehensive about by accident introducing an unintended vuln that might make the problem boring. Image
@CSAW_NYUTandon To protect in opposition to this I wrote a bunch of libfuzzer targets, community torture checks in Python, and conventional CTest unit checks. I feel it labored! I did not hear of anybody discovering a vuln within the problem besides the one I meant.
Image
Image

@CSAW_NYUTandon One other bit that took some work was making the problem constantly solvable. With choose(), you fill the fd_set with 1s, name choose, and the kernel fills the set with the precise fd state. However that signifies that 1/2 the time the secret’s corrupted by all 1s as an alternative of your bits!

@CSAW_NYUTandon This makes exploitation annoying, to say the least. So I launched a mechanism that lets gamers pause and resume the thread calling choose(), so the corrupted key stays in place throughout factoring/signing/encrypting. Image
@CSAW_NYUTandon Oh, a pair extra bits of aesthetics. The sensor port (the one you truly use for the overflow, permits you to take a look at some playing cards for the varied angels:
Image
Image

@CSAW_NYUTandon That performance additionally hides the easter egg: by calling EXAMINE on three angels in a row the place the primary letter of their names spell out “RSA” (e.g., Ramiel, Sandalphon, Adam), you’ll be able to activate the credit score sequence proven within the first tweet.
@CSAW_NYUTandon And I feel it is all the time enjoyable to taunt the gamers slightly bit. That is why while you fail the challenge-response authentication, Asuka exhibits as much as make enjoyable of you. (There are just a few different pictures included for different errors, however they’re more durable to set off.) Image
@CSAW_NYUTandon I discovered just a few enjoyable issues whereas making this problem. First, Python crypto libraries like pycryptodome do NOT take pleasure in working with prime or multi-prime keys. I used OpenSSL immediately as an alternative in my solver, however some gamers monkeypatched the Python library. github.com/moyix/csaw23_n…

@CSAW_NYUTandon Second, one variant of the problem I attempted bumped into an attention-grabbing problem. I thought-about byte-swapping the important thing in order that gamers may solely set the LSB. However it seems half of these keys are unusable, as a result of OpenSSL makes use of Montgomery multiplication, which requires an odd modulus.

@CSAW_NYUTandon Tommaso Gagliardoni of Kudelski Safety additionally steered a variant on the core RSA overwrite that might even have been enjoyable – permit the overwrite to make the important thing BIGGER by extending into adjoining information in reminiscence. Sadly I did not have time to implement this. Image
@CSAW_NYUTandon Okay this thread is now formally WAY too lengthy, so I am going to wrap up by saying that I had a good time writing the problem, and I am thrilled that all of it got here collectively and folks loved enjoying it! The problem supply and solver will be discovered right here: github.com/moyix/csaw23_n…

@CSAW_NYUTandon @threadreaderapp unroll

• • •


Lacking some Tweet on this thread? You possibly can attempt to
force a refresh

 



Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top