¶ 2024-03-29 - picoCTF - format string vulnerability
¶ Overview
Date: 2024-03-29
Time: 6pm-8pm
Location: GH 224
Host: Zack Sargent
¶ Announcements
Announcements
I sent out the same information via email & discord:
Hey @CST,
¶ NKCyber Weekly Update | 2024-03-25
¶ No Change To CST Meetings
Thank you to everyone who helped me try to find a better time to CST meetings for this last part of the school year.
Looking at the survey I learned that y'all strongly prefer times after 5pm, and that Wednesday evening had three more people available than our normal Friday slot. However, upon trying to act on this information, I have learned that there is a class and lab that uses our computers at that time. After discussing with E-Board, it looks like there isn't a better option than our normal time of Fridays at 6pm. As such, the CST time will not change, but thank you to everyone who helped us explore alternatives. If you're looking for more advanced content with a focus on penetration testing, you may consider Red Team on Wednesdays.
¶ Red Team
Red team will meet on Wednesday at 7 P.M. in GH 240.
Here is the writeup from the last meeting about automatically controlling computers with Rubber Duckys.¶ Research & Development (R&D)
R&D will meet this Thursday at 6 P.M. in GH 224.
Here is the writeup from last Thursday's meeting, on the same topic as Red Team.¶ Cyber Security Training (CST)
CST will meet this Friday from 6 to 8 P.M. in GH 224.
We will be continuing to explore challenges in the picoCTF gym.
Here is the writeup from last Friday.¶ Build Team
Build team has no set meeting times.
Thanks!! See ya around! ٩(◕‿◕。)۶
¶ Meeting Notes
Given that it was the Friday before Easter weekend, there were a number of people who couldn't make it. As such, we tried to stay focused on topics that our group members were interested in.
¶ PicoCTF
We visited the picoCTF gym (https://play.picoctf.org/practice), and we worked on the Stonks challenge.
We stared this challenge by reading through the code, and discussing basic C concepts such as pointers, and the way the code was designed with a Linked List instead of an array. However, I missed the key vulnerabiilty until we looked at the answers online. We watched this video first, which still left us confused, but this video helped us understand the topic more.
I think this wiki article explains the vulnerability well:
¶ Format String Bug
Format String is a dangerous bug that is easily exploitable. If manipulated correctly, you can leverage it to perform powerful actions such as reading from and writing to arbitrary memory locations.
¶ Why it exists
In C, certain functions can take "format specifier" within strings. Let's look at an example:
int value = 1205; printf("Decimal: %d\nFloat: %f\nHex: 0x%x", value, (double) value, value);This prints out:
Decimal: 1205 Float: 1205.000000 Hex: 0x4b5So, it replaced
%dwith the value,%fwith the float value and%xwith the hex representation.This is a nice way in C of formatting strings (string concatenation is quite complicated in C). Let's try print out the same value in hex 3 times:
int value = 1205; printf("%x %x %x", value, value, value);As expected, we get
4b5 4b5 4b5What happens, however, if we don't have enough arguments for all the format specifiers?
int value = 1205; printf("%x %x %x", value);4b5 5659b000 565981b0Erm... what happened here?
The key here is that
printfexpects as many parameters as format string specifiers, and in 32-bit it grabs these parameters from the stack. If there aren't enough parameters on the stack, it'll just grab the next values - essentially leaking values off the stack. And that's what makes it so dangerous.
¶ Other Topics
We also learned about a couple other things worth mentioning.
- https://ascii.theater/ was an interesting diversion into movies streamed via SSH.
ssh -o StrictHostKeyChecking=no watch.ascii.theater- This was created by mscf who is known for effective viral marketing.
- See also: https://thefreemovie.buzz/
- Do you have a 3d printer you want to control remotely or automatically record and take pictures of? Consider OctoPrint! They self-host this at CCHS, and they've been enjoying it a lot.
¶ Afterwards
Afterwards, three of us got dinner at Taco Bell, and continued discussing programming and cybersecurity concepts.
¶ Attendance
7 NKU, 1 CCHS
CampusGroups link: https://cglink.me/2vf/r375742