HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #69
From team WiiPhonies
New advisory by : John_K
Affected service(s): VDSI
Severity [lmh] : high
===== Problem =====
VIDs are assigned sequentially instead of randomly
===== Impact =====
Keys are easily obtainable by executing a ID Search starting at 1 until no results are returned
===== Fix =====
--- persondb.adb 2008-12-29 16:07:26.000000000 -0600
+++ persondb.adb 2008-12-29 17:13:07.000000000 -0600
@@ -22,6 +22,11 @@
null;
end Close_DB;
+ procedure Dump_Dummy (p : in Person.Person_Type) is
+ begin
+ null;
+ end;
+
procedure File (db : in out Person_DB;
id : out ID_Type;
first_name : in String;
@@ -29,13 +34,19 @@
comment : in String) is
pos : PersonIO.Count;
f : File_Type;
+ n : Natural;
begin
Lock_File (To_String(db.filename) & ".lock");
+ RandID.Reset(db.idgen);
+ id := RandID.Random(db.idgen);
+ n := Search_By_ID_NL(db, id, Dump_Dummy'Access);
+ while n > 0 loop
+ id := RandID.Random(db.idgen);
+ n := Search_By_ID_NL(db, id, Dump_Dummy'Access);
+ end loop;
+
Open (f, Out_File, To_String(db.filename));
pos := Size (f) + 1;
- -- need to figure out how to avoid collisions
- -- id := RandID.Random(db.idgen)
- id := ID_Type (pos);
Write (f, Person.Person(id, first_name, last_name, comment), pos);
Close (f);
Unlock_File (To_String(db.filename) & ".lock");
@@ -76,8 +87,30 @@
Unlock_File (To_String(db.filename) & ".lock");
return n;
end Search_By_Pred;
+ function Search_By_Pred_NL (db : in Person_DB;
+ pred : not null access function (p : Person_Type)
+ return Boolean;
+ process : not null access procedure
+ (p : in Person_Type))
+ return Natural is
+ p : Person_Type;
+ n : Natural := 0;
+ f : File_Type;
+ begin
+ Open (f, In_File, To_String(db.filename));
+ Set_Index(f, 1);
+ while not End_Of_File (f) loop
+ Read (f, p);
+ if pred.all (p) then
+ process.all (p);
+ n := n + 1;
+ end if;
+ end loop;
+ Close (f);
+ return n;
+ end Search_By_Pred_NL;
- function Search_By_ID (db : in Person_DB;
+ function Search_By_ID_NL (db : in Person_DB;
id : ID_Type;
process : not null access procedure
(p : in Person_Type))
@@ -87,8 +120,8 @@
return (Person.ID (p) = id);
end pred;
begin
- return Search_By_Pred (db, pred'Access, process);
- end Search_By_ID;
+ return Search_By_Pred_NL (db, pred'Access, process);
+ end Search_By_ID_NL;
function Search_By_Name (db : Person_DB;
first : String;
@@ -110,4 +143,17 @@
return Search_By_Pred (db, pred'Access, process);
end Search_By_Name;
+ function Search_By_ID (db : in Person_DB;
+ id : ID_Type;
+ process : not null access procedure
+ (p : in Person_Type))
+ return Natural is
+ function pred (p : Person_Type) return Boolean is
+ begin
+ return (Person.ID (p) = id);
+ end pred;
Rating
[1] already reported, but point for the detailed fix :)