【HITCON FreeTalk 2022 - 烏俄網路戰 & CTF 經驗分享】 ➠ 我把在網頁框架發現的密碼學漏洞變成 CTF 題了 ➠ Speaker: TSJ CTF 戰隊 黃志仁 (splitline)

1. Hack into the Genie
我把在網頁框架發現的密碼學漏洞變成 CTF 題了
splitline @ HITCON FreeTalk

2. >
- The CTF challenge is designed by both me and @maple3142
- I found the 2 vulnerabilities in Genie.jl and reported
them in issue Genie.jl#493 and #495 (deleted)
- @maple3142 wrote the whole CTF challenge, and reported
the padding bug in Nettle.jl#110
Disclaimer

3. > whoami
- @splitline
- Web 🐶
- NYCU CSIE
- CTF @ ⚔️TSJ⚔️ / 10sec

4. How it Started
欸，Julia 有沒有反
序列化 漏洞R
2 × New Vulnerability
1 × CTF Challenge (?
1 × Real World Case
How it Ended

5. How it Started
欸，Julia 有沒有反
序列化 漏洞R
2 × New Vulnerability
1 × CTF Challenge (?
1 × Real World Case
How it Ended
Ans：有

6. > Julia#32601

7. Julia Web Framework

8. Genie.jl

9. Genie.jl

10. Let's Play a Game CTF

11. > Overview
Sessions.init()
route("/upload", method = POST) do
if infilespayload(:file)
file = filespayload(:file)
path = joinpath(upload_dir, file.name)
write(path, file.data)
# ... Add file path into session ...
end
end

12. > Path Traversal
Sessions.init()
route("/upload", method = POST) do
if infilespayload(:file)
file = filespayload(:file)
path = joinpath(upload_dir, file.name)
write(path, file.data)
# ... Add file path into session ...
end
end
../../../

13. > Session?
Sessions.init()
route("/upload", method = POST) do
if infilespayload(:file)
file = filespayload(:file)
path = joinpath(upload_dir, file.name)
write(path, file.data)
# ... Add file path into session ...
end
end

14. > Session?
1.Serialized data
2.File-based implementation
3.Encrypted session id

15. > Session?
1.Serialized data -> 控制到就能 RCE
2.File-based implementation -> 已可任意寫檔
3.Encrypted session id -> ???

16. AES_CBC::decrypt(__geniesid)
open("sessions/" + <明文 session id (64 bytes)>)
Serialization.deserialize(內容)

17. > AES CBC?
- Padding Oracle?
- Bit Flipping?

18. > AES CBC Decrypt
Decrypt ⚙️
Key 🔑
密文 🔒
Decrypt ⚙️
Key 🔑
密文 🔒
明文 💬 明文 💬
IV

19. > How They Implemented?
Decrypt ⚙️
Key 🔑
密文 🔒
Decrypt ⚙️
Key 🔑
密文 🔒
明文 💬 明文 💬
IV
__geniesid
Genie.secret_token

20. > AES CBC?
- Padding Oracle ❌
1. 密文不包含 IV
2. Unpadding 不會報錯
- Bit Flipping?

21. > AES CBC?
- Padding Oracle ❌
1. 密文不包含 IV
2. Unpadding 不會報錯
- Bit Flipping?
… … … … … … … … … … … … … 01 03 09
正常狀況

22. > AES CBC?
- Padding Oracle ❌
1. 密文不包含 IV
2. Unpadding 不會報錯
- Bit Flipping?
… … … … … … … … … … … … … 01 03 09
最後 9 bytes 皆須為 0x09
Padding Error!
正常狀況

23. > AES CBC?
- Padding Oracle ❌
1. 密文不包含 IV
2. Unpadding 不會報錯
- Bit Flipping?
… … … … … … … … … … … … … 01 03 09
Genie 的做法

24. > AES CBC?
- Padding Oracle ❌
1. 密文不包含 IV
2. Unpadding 不會報錯
- Bit Flipping?
… … … … … … … … … … … … … 01 03 09
Remove 9 bytes without checking
Genie 的做法

25. > AES CBC?
- Padding Oracle?
- Bit Flipping?
- Yes, but…

26. >
遭竄改的密文 🔒
AES CBC Decrypt: Bit Flipping
Decrypt ⚙️
Key 🔑 Decrypt ⚙️
Key 🔑
密文 🔒
垃圾 💩 遭竄改的明文 💬
IV

27. > How to Forge
Block#1 Block#2 Block#3 Block#4 Block#5
Filename[:16] Filename[16:32] Filename[32:48] Filename[48:64] "x10"*16
ForgedCiphertext(block#4) = ("x10"*16) ⊕ Ciphertext(block#4) ⊕ Target(block#5)
(Padding)
<Plaintext>

28. > How to Forge
Block#4 Block#5
Garbage 💩 "x1f"*16
Forged = (("x10" * 16) ⊕ Ciphertext(block#4) ⊕ ("x1f"*16)) + CipherText(block#5)
(Padding)
<New Plaintext>
chr(32 - 1)

29. Block#4 Block#5
Garbage 💩 "x1f"*16
unpad( Filename[:16] + "x1f" * 16 )
Random 1 Byte

30. > Final Exploit
1. 上傳一堆 x01 ~ xff 的檔案到 ../sessions/<byte>
2. 生成惡意的 session id （解密後只會有 1 byte）
3. 用該 session 去 request 兩次
4. pwned!

31. Bonus
http://example.com////etc/passwd
slashes (/) >= 4 -> 任意讀檔！

32. Real World Story

33. > Reference
- Genie https://github.com/GenieFramework/Genie.jl
- CTF Challenge, Write-up and Exploit:
https://github.com/splitline/My-CTF-
Challenges/tree/master/tsj-ctf/genie

34. Thanks for Listening!
</slides>