HackyEaster was awesome again. From a technical point of view there weren’t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of 37 challenges. These challenges were divided into different levels. You could only proceed to the next level, if you have earned enough points in the current level. I really liked that new idea.
Continue reading “Hacky Easter 2021 writeup”mpv media player – mf custom protocol vulnerability (CVE-2021-30145)
The mpv media player provides a custom protocol handler (mf://) in order to merge multiple images to a video. An undocumented feature within this protocol handler allows the usage of a format specifier in the provided URL, which is evaluated using sprintf. This results in both, a format string vulnerability as well as a heap overflow (CVE-2021-30145).
After disclosing the vulnerability to the mpv team on the 3rd April 2021 I got an immediate response. The mpv team took the issue very seriously and immediately started to work on a patch with me. This was the first time I disclosed a vulnerability to an open source project and I was really impressed about the professional reaction and the passionate commitment. The patch was released only two days after my report on the 5th April 2021 (commit). Thanks a lot to avih, sfan5 and jeeb.
The impact of the format string vulnerability is limited on Linux, because the binary is compiled with FORTIFY_SOURCE by default. Though the heap overflow can be used to gain arbitrary code execution by overflowing into an adjacent heap chunk and setting a function pointer to an attacker controlled value. Nevertheless I estimate the probability of exploitation in real life as quite low, because a victim has to be tricked into opening a malicious playlist (e.g. via a URL like http://10.0.0.1/evil.m3u) and the attacker has to have detailed information about the victim’s system to fine-tune the exploit.
Within this article I describe the vulnerability itself as well as the development of a proof of concept exploit for Ubuntu 20.04.2 LTS with ASLR disabled. At the end of the article I outline a few thoughts on how ASLR can be bypassed and what changes if we develop an exploit for Windows. The article is divided into the following sections:
– Introduction
– Format String Vulnerability
– Heap Overflow
– Exploitation
– Further Thoughts
– Conclusion
HACKvent20 writeup
This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year. There was a total amount of 28 awesome challenges with varying difficulties. |
ALLES! CTF 2020 – Actual ASLR 1/2
The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.
Within this article I want to share my writeup on the two challenges Actual ASLR 1
and 2
, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.
The article is divided into the following sections:
→Actual ASLR 1
– Binary
– Random Algorithm
– Reimplementation In Python
– First Flag
→Actual ASLR 2
– Custom Heap
– Vulnerability
– Heap Leak
– Image Base Leak
– Overwriting Function Pointer
– Final Exploit
Continue reading “ALLES! CTF 2020 – Actual ASLR 1/2”
AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)
One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:
→ Fuzzing→ Bug
→ Exploit
– Strategy
– The v in vsnprintf
– Gaining arbitrary write
– Controlling the instruction pointer
– Hitting our shellcode: dynamic field width
– Final exploit
→ Conclusion
Continue reading “AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)”
Hack The Box – Rope
This article contains my writeup on the machine Rope
from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂
The article is divided into the following parts:
→ User
– Initial Recon
– httpserver
– Leak Memory Address
– Exploit Format String Vulnerability
– Escalating from john to r4j (readlogs)
→ Root
– Local Recon
– contact
– Bruteforce
– Libc Leak
– Final Exploit