Posts

Showing posts from March, 2009

CodeGate 2009's Challenge 18 - Diffie-Hellman parameter tampering case study

1 Introduction
Last week I joined team CLGT to take part in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CodeGate 2009 organized by BeistLab. There's 21 challenges. This post is about challenge 18 which, IMHO, is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting. You can download full report from CLGT here.

There was only two teams could nail #18, and, unfortunately, we were not one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. We were very close, just minutes away, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final solution, but could not manage to solve it before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contest ended. Anyway, we're writing this writeup because we like it.

This is a cryptography challenge. The objective is to decrypt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication between a server and a client, which play a protocol involving RSA digital signature algorithm [1], Diffie-Hellman Key Protocol Agreement [2], and AES block cipher [3].

Section 2 describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol and its setting in detail. Section 3 discusses some vulnerabilities of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol. Section 4 describes how we nail it. Section 5 discusses some ways to fix it. Section 6 concludes.
2 The Protocol
As we s…

Spot cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability challenges

Earlier this week, choc_, a friend of mine, started posting several small C programs to HVAOnline, and asking folks at that popular security forum to find, exploit, and fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities in those programs.

I found those challenges are very interesting, and some of are quite difficult to solve if you don't understand how C stores, and interprets integer values. They remind me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great code auditing book "The art of software security assessment" in which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors dedicate a whole chapter on C language issues, esp. those occur when you use integers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong way.

Here are some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenges. I hope you find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m interesting.

Challenge 1
int main(int argc, char **argv) {
if (argc != 3)
return 1;
unsigned short int x = strlen(argv[1]) + strlen(argv[2]);
char *buf = (char *)malloc(x);
strcpy(buf, argv[1]);
strcat(buf, argv[2]);
}

Challenge 2

#include
#include

int main(int argc, char **argv)
{
int x, y;
if (argc != 3)
return 0;
x …