import cgi print "Content-type: text/html\n" print """ How to report an advisory

HC's Capture the Flag site
Capture the Flag at Easterhegg 2008

How to report an advisory

""" print """

We provide a utility to report advisories with the vulnerable image. Just create a user account for yourself and invoke 'reportadvisory'. Alternatively, you can connect to the scoring bot via telnet, using port 8080.

When you run the reportadvisory utility for the first time, you will be presented with this message:

""" print "
"
print cgi.escape("""
READ THIS if this is your first time you report an advisory!

You must use the template that is presented to you. Fill out
*all* fields. The following important details must be given for
each advisory:

== DESCRIPTION
Describe the nature of the problem; specify the file name and
line number(s) of the problematic code.  Keep the description as
short and accurate as possible.

== IMPACT
Describe the effects the problem can cause. Do not give examples.
You may describe in more detail under which circumstances the
problem manifests; taking into account interactions with other
services or special system configurations.

== FIX
If there is no fix, indicate that. If there is a fix, describe
it. If the fix is non-trivial, explain it in detail. Do not send
patches or code excerpts.


===== *no* code. *no* pseudocode. =====
_We do not have the time to read your code. Unfortunately._ We
will neither be able to look at code that supposedly fixes a
found advisory, nor check whether your exploit code works.  Do
not send us code. Describe the impact of the hole, not how to
exploit it.

===== Things you should not report =====
This is a non-exhaustive list of things not to report:

* Do not report programs with set setuid/setgid flag.

 While setuid/setgid is a risky feature, it is not a
 vulnerability. Find code excerpts that allow actual exploitation
 of a setuid/setgid program.

* Being able to guess temporary filenames does not indicate a
design flaw per se. It is a design flaw only if knowledge of
future temporary filenames can be used to exploit a program.

* Do not report rlimit problems.

 A program that can be convinced to eat up all memory by incoming
 network traffic is not insecure. Limiting system resources is
 the job of the administrator. However, a program that fails to
 handle out-of-memory situations gracefully is vulnerable.

* Do not report configuration errors.

 While we did intentionally misconfigure some of the services,
 advisories focus only on programming errors.

===== Miscellaneous =====

If you do not abide by these rules, your advisory will be
rejected.

Note: We ask you to use proper grammar and syntax in your
advisories. Use full sentences whenever possible.

If you want to change settings you make later, or read this
message again, check ~/.ctf*

You will find an example below:
NOTE: In our example, the fix is simple. If the solution is more
complicated, you *have* to describe it in more detail.

=================================================================

--- SAMPLE CODE ---
  int
	main(argc, argv)
		int argc;
		char** argv;
	{
		char name[512];
		char pwd[512];
		printf("What's your name: ");
		fflush(stdout);
		gets(name);
		[...]

--- HOW THE SAMPLE CODE IS RUN ---
cc -o login main.c ...
tcpserver 0.0.0.0 12345 ./login

--- SAMPLE ADVISORY ---

New advisory by    : hc
Affected service(s): login
Severity [lmh]     : high

===== Problem =====
The login service is vulnerable to a buffer overflow attack. In
line 10 in main.c the insecure 'gets' function is used, which
does not bounds check the supplied array.

===== Impact =====
Since the login service gets called from tcpserver and runs with
'daemon' privileges, anyone with access to the computer's network
services can induce a buffer overflow that crashes the service
and/or leads to remote code execution.

===== Fix =====
Use the safe fgets function instead.""")

print "
" print """
Powered by FreeBSD

(C) 2008, Hans-Christian Esperer. Impressum

"""