Posted on

mpv media player – mf custom protocol vulnerability (CVE-2021-30145)

The mpv media player provides a custom protocol handler (mf://) in order to merge multiple images to a video. An undocumented feature within this protocol handler allows the usage of a format specifier in the provided URL, which is evaluated using sprintf. This results in both, a format string vulnerability as well as a heap overflow (CVE-2021-30145).

After disclosing the vulnerability to the mpv team on the 3rd April 2021 I got an immediate response. The mpv team took the issue very seriously and immediately started to work on a patch with me. This was the first time I disclosed a vulnerability to an open source project and I was really impressed about the professional reaction and the passionate commitment. The patch was released only two days after my report on the 5th April 2021 (commit). Thanks a lot to avih, sfan5 and jeeb.

The impact of the format string vulnerability is limited on Linux, because the binary is compiled with FORTIFY_SOURCE by default. Though the heap overflow can be used to gain arbitrary code execution by overflowing into an adjacent heap chunk and setting a function pointer to an attacker controlled value. Nevertheless I estimate the probability of exploitation in real life as quite low, because a victim has to be tricked into opening a malicious playlist (e.g. via a URL like http://10.0.0.1/evil.m3u) and the attacker has to have detailed information about the victim’s system to fine-tune the exploit.

Within this article I describe the vulnerability itself as well as the development of a proof of concept exploit for Ubuntu 20.04.2 LTS with ASLR disabled. At the end of the article I outline a few thoughts on how ASLR can be bypassed and what changes if we develop an exploit for Windows. The article is divided into the following sections:

Introduction
Format String Vulnerability
Heap Overflow
Exploitation
Further Thoughts
Conclusion

Continue reading “mpv media player – mf custom protocol vulnerability (CVE-2021-30145)”
Posted on

HACKvent20 writeup

This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year.
There was a total amount of 28 awesome challenges with varying difficulties.
HV20.(-1) Twelve steps of christmas
HV20.01 Happy HACKvent 2020
HV20.02 Chinese Animals
HV20.03 Packed gifts
HV20.04 Br❤celet
HV20.05 Image DNA
HV20.13 Twelve steps of christmas
HV20.14 Santa’s Special GIFt
HV20.15 Man Commands, Server Lost
HV20.16 Naughty Rudolph
HV20.17 Santa’s Gift Factory Control
HV20.18 Santa’s lost home
HV20.19 Docker Linter Service
HV20.06 Twelve steps of christmas
HV20.07 Bad morals
HV20.08 The game
HV20.09 Santa’s Gingerbread Factory
HV20.10 Be patient with the adjacent
HV20.11 Chris’mas carol
HV20.12 Wiener waltz
HV20.20 Twelve steps of Christmas
HV20.21 Threatened Cat
HV20.22 Padawanlock
HV20.23 Those who make backups are cowards!
HV20.24 Santa’s Secure Data Storage
HV20.H1 It’s a secret!
HV20.H2 Oh, another secret!
HV20.H3 Hidden in Plain Sight
Continue reading “HACKvent20 writeup”
Posted on

ALLES! CTF 2020 – Actual ASLR 1/2

The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.

Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.

The article is divided into the following sections:

Actual ASLR 1
    – Binary
    – Random Algorithm
    – Reimplementation In Python
    – First Flag

Actual ASLR 2
    – Custom Heap
    – Vulnerability
    – Heap Leak
    – Image Base Leak
    – Overwriting Function Pointer
    – Final Exploit

Continue reading “ALLES! CTF 2020 – Actual ASLR 1/2”
Posted on

AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)

One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:

Fuzzing
Bug
Exploit
    – Strategy
    – The v in vsnprintf
    – Gaining arbitrary write
    – Controlling the instruction pointer
    – Hitting our shellcode: dynamic field width
    – Final exploit
Conclusion

Continue reading “AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)”
Posted on

Hack The Box – Rope

This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂

The article is divided into the following parts:

User
    – Initial Recon
    – httpserver
    – Leak Memory Address
    – Exploit Format String Vulnerability
    – Escalating from john to r4j (readlogs)

Root
    – Local Recon
    – contact
    – Bruteforce
    – Libc Leak
    – Final Exploit

Continue reading “Hack The Box – Rope”
Posted on

HACKvent19 writeup

This year’s HACKvent was hosted on the brand new Hacking-Lab 2.0 plattform. Each day from the 1st of december until the 24th a new challenge is published raising in difficulty. The flag format changed from HV18-xxxx-xxxx-xxxx-xxxx-xxxx to HV19{...}. After all I managed to solve all 28 challenges 🙂
Hidden
HV19.H1 Hidden One
HV19.H2 Hidden Two
HV19.H3 Hidden Three
HV19.H4 Hidden Four
Easy
HV19.01 censored
HV19.02 Triangulation
HV19.03 Hodor, Hodor, Hodor
HV19.04 password policy circumvention
HV19.05 Santa Parcel Tracking
HV19.06 bacon and eggs
HV19.07 Santa Rider
Medium
HV19.08 SmileNcryptor 4.0
HV19.09 Santas Quick Response 3.0
HV19.10 Guess what
HV19.11 Frolicsome Santa Jokes API
HV19.12 back to basic
HV19.13 TrieMe
HV19.14 Achtung das Flag
Hard
HV19.15 Santa’s Workshop
HV19.16 B0rked Calculator
HV19.17 Unicode Portal
HV19.18 Dance with me
HV19.19 U+1F385
HV19.20 i want to play a game
HV19.21 Happy Christmas 256
Leet
HV19.22 The command … is lost
HV19.23 Internet Data Archive
HV19.24 ham radio

Continue reading “HACKvent19 writeup”

Posted on

Google CTF 2019 (Quals) – Quantum Key Distribution

This years online qualification for the Google Capture The Flag finals (ctftime.org) ran from 22/06/2019, 00:01 UTC to 23/06/2019 23:59 UTC.

As last year, there were plenty of diversified challenges, which were worked out very well.

I tried to take at least a look at as much challenges as possible and solved the challenge Quantum Key Distribution, which was relatively easy based on the amounts of solves. Within this article I want to share my writeup on this challenge.

The writeup is divided into the following sections:

Continue reading “Google CTF 2019 (Quals) – Quantum Key Distribution”
Posted on

Hacky Easter 2019 writeup

As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year 🙂 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here).
Easy
01 Twisted
02 Just Watch
03 Sloppy Encryption
04 Disco 2
05 Call for Papers
06 Dots
07 Shell we Argument
08 Modern Art
09 rorriM rorriM
Medium
10 Stackunderflow
11 Memeory 2.0
12 Decrypt0r
13 Symphony in HEX
14 White Box
15 Seen in Steem
16 Every-Thing
17 New Egg Design
18 Egg Storage
Hard
19 CoUmpact DiAsc
20 Scrambled Egg
21 The Hunt: Misty Jungle
22 The Hunt: Muddy Quagmire
23 The Maze
24 CAPTEG
Hidden
25 Hidden Egg #1
26 Hidden Egg #2
27 Hidden Egg #3
Continue reading “Hacky Easter 2019 writeup”
Posted on

VolgaCTF 2019 Qualifier – Blind

The VolgaCTF 2019 Qualifier (ctftime.org) took place from 29/03/2019, 15:00 UTC to 31/03/2019 15:00 UTC.

There has been a really interesting RSA crypto challenge called Blind, which I would like to share with you in this writeup.

The article is divided into the following sections:

Challenge description
What does the script do?
Blind RSA Signature
Retrieving the Flag

Continue reading “VolgaCTF 2019 Qualifier – Blind”

Posted on

nullcon HackIM 2019 – babypwn

The nullcon HackIM 2019 CTF (ctftime.org) ran from 01/02/2019, 16:30 UTC to 03/02/2019 04:30 UTC.

I did the pwn challenge babypwn, which was really fun to do. The following article contains my writeup being divided into the following sections:

Challenge description
Security mechanisms and disassembly
Signedness vulnerabilitiy
Format string vulnerabilitiy
Final exploit

Continue reading “nullcon HackIM 2019 – babypwn”