c0ffee.me / Viewing the contents of a zip as a tree <p>I was building some jar’s for a Jenkins shared pipeline and trying to validate what files/folders were included in the result. Normally I use the <code class="language-plaintext highlighter-rouge">tree</code> command to inspect directories like this, as it makes more visual sense to me. However to view the contents of a zip we have to do something like <code class="language-plaintext highlighter-rouge">unzip -l filename.zip</code> which gives us a pretty verbose and difficult to understand result (at least to me).</p> <h2 id="solution">Solution</h2> <p>Add a the following function to my ~/.zshrc</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">function </span>tree<span class="o">()</span> <span class="o">{</span> <span class="nv">arr</span><span class="o">=(</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="o">)</span> <span class="k">if</span> <span class="o">(</span> file <span class="nv">$arr</span><span class="o">[</span><span class="nt">-1</span><span class="o">]</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'Zip archive'</span> <span class="o">)</span> <span class="p">;</span> <span class="k">then </span><span class="nb">tar </span>tf <span class="nv">$arr</span><span class="o">[</span><span class="nt">-1</span><span class="o">]</span> | tree <span class="k">${</span><span class="nv">arr</span><span class="p">[@]</span>:0:-1<span class="k">}</span> <span class="nt">--fromfile</span> <span class="nb">.</span> <span class="k">else </span><span class="nb">command </span>tree <span class="nv">$@</span> <span class="k">fi</span> <span class="o">}</span> </code></pre></div></div> <p>Now we can <code class="language-plaintext highlighter-rouge">tree somefolder</code> just as well as <code class="language-plaintext highlighter-rouge">tree somejar.jar</code>, or any other Zip archive! For example:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>» tree ~/.m2/repository/org/testng/testng/6.13.1/testng-6.13.1.jar <span class="nb">.</span> ├─ com │ └─ beust │ └─ testng │ └─ TestNG.class ├─ META-INF │ ├─ services │ │ └─ org.testng.xml.ISuiteParser │ └─ MANIFEST.MF ├─ org │ └─ testng │ ├─ annotations │ │ ├─ AfterClass.class │ │ ├─ AfterGroups.class │ │ ├─ AfterMethod.class │ │ ├─ AfterSuite.class │ │ ├─ AfterTest.class │ │ ├─ BeforeClass.class </code></pre></div></div> Fri, 07 Jul 2023 00:00:00 -0500 /2023/07/07/zip-tree.html /2023/07/07/zip-tree.html Adding a new discord bot <p>When writing a discord bot, even if only for your own server, you need to use oauth to validate it. I wrote the following script to make it easy on myself, since i’m more than likely to do it again and forget how in the future. Make sure you have <code class="language-plaintext highlighter-rouge">bottle</code>, <code class="language-plaintext highlighter-rouge">requests</code> and <code class="language-plaintext highlighter-rouge">discordpy</code> (the bot framework i was writing in) runt hen simply browse to http://localhost:8080</p> <p>Note that this requests <code class="language-plaintext highlighter-rouge">Permissions(8)</code> which is Administrator and only the scopes <code class="language-plaintext highlighter-rouge">bot</code>. You can change that at will - infact I suggest you don’t grant Admin.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="n">os</span><span class="p">,</span> <span class="n">requests</span><span class="p">,</span> <span class="n">string</span><span class="p">,</span> <span class="n">random</span> <span class="kn">from</span> <span class="n">bottle</span> <span class="kn">import</span> <span class="n">request</span><span class="p">,</span> <span class="n">route</span><span class="p">,</span> <span class="n">run</span><span class="p">,</span> <span class="n">abort</span><span class="p">,</span> <span class="n">redirect</span> <span class="kn">from</span> <span class="n">discord.utils</span> <span class="kn">import</span> <span class="n">oauth_url</span> <span class="kn">from</span> <span class="n">discord</span> <span class="kn">import</span> <span class="n">Permissions</span> <span class="n">state</span> <span class="o">=</span> <span class="sh">''</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">ascii_letters</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">10</span><span class="p">))</span> <span class="nd">@route</span><span class="p">(</span><span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">():</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">oauth_url</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">CLIENT_ID</span><span class="sh">'</span><span class="p">],</span> <span class="n">permissions</span><span class="o">=</span><span class="nc">Permissions</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="n">redirect_uri</span><span class="o">=</span><span class="sh">'</span><span class="s">http://localhost:8080/oauth</span><span class="sh">'</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">bot</span><span class="sh">'</span><span class="p">],</span> <span class="n">state</span><span class="o">=</span><span class="n">state</span><span class="p">))</span> <span class="nd">@route</span><span class="p">(</span><span class="sh">'</span><span class="s">/oauth</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">exchange_code</span><span class="p">():</span> <span class="n">code</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="n">code</span> <span class="n">incstate</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="n">state</span> <span class="k">if</span> <span class="n">incstate</span> <span class="o">!=</span> <span class="n">state</span><span class="p">:</span> <span class="nf">abort</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="sh">"</span><span class="s">State mismatch somehow, are you being hacked...?</span><span class="sh">"</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">client_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">CLIENT_ID</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">client_secret</span><span class="sh">'</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">CLIENT_SECRET</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">grant_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">authorization_code</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">code</span><span class="sh">'</span><span class="p">:</span> <span class="n">code</span><span class="p">,</span> <span class="sh">'</span><span class="s">redirect_uri</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">http://localhost:8080/oauth</span><span class="sh">'</span> <span class="p">}</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/x-www-form-urlencoded</span><span class="sh">'</span><span class="p">}</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">'</span><span class="s">https://discord.com/api/oauth2/token</span><span class="sh">'</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">if</span> <span class="mi">400</span> <span class="o">&gt;</span> <span class="n">r</span><span class="p">.</span><span class="n">status_code</span> <span class="o">&gt;=</span> <span class="mi">200</span><span class="p">:</span> <span class="n">rdata</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">rdata</span><span class="p">[</span><span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">]</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Successfully added bot</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="nf">abort</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="sh">"</span><span class="s">Failed to use code to auth</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">isfile</span><span class="p">(</span><span class="sh">'</span><span class="s">.env</span><span class="sh">'</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">.env</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">k</span><span class="p">]</span> <span class="o">=</span> <span class="n">v</span> <span class="k">assert</span> <span class="sh">'</span><span class="s">CLIENT_ID</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span> <span class="k">assert</span> <span class="sh">'</span><span class="s">CLIENT_SECRET</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span> <span class="k">assert</span> <span class="sh">'</span><span class="s">BOT_TOKEN</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">Open http://localhost:8080 in your browser</span><span class="sh">'</span><span class="p">)</span> <span class="nf">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">'</span><span class="s">localhost</span><span class="sh">'</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8080</span><span class="p">,</span> <span class="n">debug</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre></div></div> Sun, 30 Oct 2022 00:00:00 -0500 /2022/10/30/discord-oauth.html /2022/10/30/discord-oauth.html Adding TLS to edgeos via acme.sh <p>Basic guidelines to setup acme.sh with your dnsapi</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>./acme.sh <span class="nt">--install</span> <span class="nt">--home</span> /config/auth/.acme.sh <span class="nt">--config-home</span> <span class="c"># see https://github.com/acmesh-official/acme.sh/wiki/dnsapi</span> <span class="nv">$ </span>./acme.sh <span class="nt">--issue</span> <span class="nt">--dns</span> ... your dns here ... <span class="nt">-d</span> router.your.domain <span class="nv">$ </span><span class="nb">sudo chown </span>root.root /config/auth/.acme.sh/router.your.domain/<span class="k">*</span> <span class="nv">$ </span><span class="nb">cat</span> /config/auth/.acme.sh/router.your.domain/router.your.domain.key <span class="o">&gt;&gt;</span> /config/auth/.acme.sh/routeryour.domain/fullchain.cer <span class="nv">$ </span>configure <span class="nv">$ </span><span class="nb">set </span>service gui cert-file /config/auth/.acme.sh/router.your.domain/fullchain.cer <span class="nv">$ </span>commit <span class="nv">$ </span>save </code></pre></div></div> <p>Got errors? See if the service came up via <code class="language-plaintext highlighter-rouge">service lighttpd status</code></p> <p>Want to see real error messages? <code class="language-plaintext highlighter-rouge">/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf</code></p> Sat, 15 Oct 2022 00:00:00 -0500 /2022/10/15/home-edge-tls.html /2022/10/15/home-edge-tls.html Java URL Pattern Matching Gotchas <p>Many security features in Java rely on endpoint pattern matching which allow for URL pattern matching bypasses if not careful. Additionally Spring MVC and Spring Security together introduces are a few gotcha’s during implementation.</p> <h2 id="security-constraint-matching">Security Constraint Matching</h2> <p>The most basic form of authentication within Java is using the <code class="language-plaintext highlighter-rouge">&lt;security-constraint/&gt;</code> tag. The following is an example constraint restricting access to /basic endpoint using Basic auth.</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml"><span class="c">&lt;!-- Basic Security --&gt;</span> <span class="nt">&lt;security-constraint&gt;</span> <span class="nt">&lt;web-resource-collection&gt;</span> <span class="nt">&lt;web-resource-name&gt;</span>baisc auth restriction<span class="nt">&lt;/web-resource-name&gt;</span> <span class="nt">&lt;url-pattern&gt;</span>/basic<span class="nt">&lt;/url-pattern&gt;</span> <span class="nt">&lt;/web-resource-collection&gt;</span> … <span class="nt">&lt;/security-constraint&gt;</span></code></pre></figure> <p>All official Java documentation uses the url-pattern <code class="language-plaintext highlighter-rouge">/*</code>, though details for <code class="language-plaintext highlighter-rouge">&lt;url-pattern/&gt;</code> can be found in section 12.2 of the 3.0 servlet specification. The following details mapping test-cases which have standard Java servlets mapped to /basic</p> <table> <thead> <tr> <th>Servlet Map</th> <th><code class="language-plaintext highlighter-rouge">&lt;url-pattern/&gt;</code></th> <th>Request</th> <th>Response Code</th> </tr> </thead> <tbody> <tr> <td>/basic</td> <td><code class="language-plaintext highlighter-rouge">/basic*</code></td> <td><code class="language-plaintext highlighter-rouge">GET /basic</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/basic</td> <td><code class="language-plaintext highlighter-rouge">/basic/</code></td> <td><code class="language-plaintext highlighter-rouge">GET /basic</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/basic</td> <td><code class="language-plaintext highlighter-rouge">/basic/*</code></td> <td><code class="language-plaintext highlighter-rouge">GET /basic</code></td> <td><span style="color:#396">401</span></td> </tr> <tr> <td>/basic</td> <td><code class="language-plaintext highlighter-rouge">/basic</code></td> <td><code class="language-plaintext highlighter-rouge">GET /basic</code></td> <td><span style="color:#396">401</span></td> </tr> </tbody> </table> <p>Wild cards do not function as expected, and only by leaving out extensions for a literal matching or using <code class="language-plaintext highlighter-rouge">/*</code> can servlet patterns be correctly matched.</p> <h2 id="security-constraints-with-spring-mvc">Security Constraints with Spring MVC</h2> <p>However if, for example, using the &lt;security-restraint/&gt; function to protect Spring MVC controllers the following is observed:</p> <table> <thead> <tr> <th>MVC Map</th> <th><code class="language-plaintext highlighter-rouge">&lt;url-pattern/&gt;</code></th> <th>Request</th> <th>Response Code</th> </tr> </thead> <tbody> <tr> <td>/mvcpoint</td> <td><code class="language-plaintext highlighter-rouge">/mvcpoint*</code></td> <td><code class="language-plaintext highlighter-rouge">GET /mvcpoint</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/mvcpoint</td> <td><code class="language-plaintext highlighter-rouge">/mvcpoint/</code></td> <td><code class="language-plaintext highlighter-rouge">GET /mvcpoint</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/mvcpoint</td> <td><code class="language-plaintext highlighter-rouge">/mvcpoint/*</code></td> <td><code class="language-plaintext highlighter-rouge">GET /mvcpoint.</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/mvcpoint</td> <td><code class="language-plaintext highlighter-rouge">/mvcpoint</code></td> <td><code class="language-plaintext highlighter-rouge">GET /mvcpoint/</code></td> <td><span style="color:#f00">200</span></td> </tr> <tr> <td>/mvcpoint</td> <td><code class="language-plaintext highlighter-rouge">/mvcpoint*/*</code></td> <td><code class="language-plaintext highlighter-rouge">GET /mvcpoint</code></td> <td><span style="color:#f00">200</span></td> </tr> </tbody> </table> <p>The lesson here is never use standard <code class="language-plaintext highlighter-rouge">&lt;security-constraint/&gt;</code> methods when attempting to restrict endpoints which are not servlets. We will touch on the use of the . below.</p> <h2>Spring Security Pattern Matching</h2> <p>Security interceptors used by Spring Security use ANT pattern matching. This type of matching is different from Regex. See the <a href="https://ant.apache.org/manual/dirtasks.html#patterns">ANT documentation on patterns</a> for specifics.</p> <p>The following is an example of a Spring Security URL pattern constraint:</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml"><span class="nt">&lt;http&gt;</span> <span class="nt">&lt;intercept-url</span> <span class="na">pattern=</span><span class="s">"/welcome*"</span> <span class="na">access=</span><span class="s">"ROLE_USER"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;http-basic</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/http&gt;</span></code></pre></figure> <p>The following is a test table showing various patterns, and their bypass:</p> <table> <thead> <tr> <th>MVC Map</th> <th><intercept-url></intercept-url></th> <th>Request</th> <th>Response Code</th> </tr> </thead> <tbody> <tr> <td>/mvcpoint</td> <td>/mvcpoint*</td> <td>GET /mvcpoint/</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint/</td> <td>GET /mvcpoint</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint/*</td> <td>GET /mvcpoint</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint**</td> <td>GET /mvcpoint/</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint/**</td> <td>GET /mvcpoint.</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint</td> <td>GET /mvcpoint.</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint<em>/</em></td> <td>GET /mvcpoint</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint<em>*/</em></td> <td>GET /mvcpoint</td> <td>200</td> </tr> <tr> <td>/mvcpoint</td> <td>/mvcpoint*/**</td> <td>GET /mvcpoint.</td> <td>401</td> </tr> </tbody> </table> <p>The table shows that only a single spring-security pattern (*/**) is able to secure against unauthorized access. To discover why, we must dig deeper.</p> <h2>Spring MVC with Spring Security</h2> <p>The problem arises in spring-mvc and its handling of extensions. We are able to supply an incomplete extension (note the trailing . on the requests) to spring-security which results in the bypass of the rule. When the incomplete extension gets to spring-mvc however, the incomplete extension is treated as erroneous and automatically returns the original mapping.</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">private</span> <span class="nc">String</span> <span class="nf">getMatchingPattern</span><span class="o">(</span><span class="nc">String</span> <span class="n">pattern</span><span class="o">,</span> <span class="nc">String</span> <span class="n">lookupPath</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">pattern</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">pattern</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">useSuffixPatternMatch</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">useSmartSuffixPatternMatch</span><span class="o">(</span><span class="n">pattern</span><span class="o">,</span> <span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">extension</span> <span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">fileExtensions</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">pathMatcher</span><span class="o">.</span><span class="na">match</span><span class="o">(</span><span class="n">pattern</span> <span class="o">+</span> <span class="n">extension</span><span class="o">,</span> <span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">pattern</span> <span class="o">+</span> <span class="n">extension</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">hasSuffix</span> <span class="o">=</span> <span class="n">pattern</span><span class="o">.</span><span class="na">indexOf</span><span class="o">(</span><span class="sc">'.'</span><span class="o">)</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="o">;</span> <span class="k">if</span> <span class="o">(!</span><span class="n">hasSuffix</span> <span class="o">&amp;</span><span class="n">amp</span><span class="o">;&amp;</span><span class="n">amp</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">pathMatcher</span><span class="o">.</span><span class="na">match</span><span class="o">(</span><span class="n">pattern</span> <span class="o">+</span> <span class="s">".*"</span><span class="o">,</span> <span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">pattern</span> <span class="o">+</span> <span class="s">".*"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">pathMatcher</span><span class="o">.</span><span class="na">match</span><span class="o">(</span><span class="n">pattern</span><span class="o">,</span> <span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">pattern</span><span class="o">;</span> <span class="o">}</span> <span class="kt">boolean</span> <span class="n">endsWithSlash</span> <span class="o">=</span> <span class="n">pattern</span><span class="o">.</span><span class="na">endsWith</span><span class="o">(</span><span class="s">"/"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">useTrailingSlashMatch</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">endsWithSlash</span> <span class="o">&amp;</span><span class="n">amp</span><span class="o">;&amp;</span><span class="n">amp</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">pathMatcher</span><span class="o">.</span><span class="na">match</span><span class="o">(</span><span class="n">pattern</span> <span class="o">+</span> <span class="s">"/"</span><span class="o">,</span> <span class="n">lookupPath</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">pattern</span> <span class="o">+</span><span class="s">"/"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">useSmartSuffixPatternMatch</span><span class="o">(</span><span class="nc">String</span> <span class="n">pattern</span><span class="o">,</span> <span class="nc">String</span> <span class="n">lookupPath</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(!</span><span class="k">this</span><span class="o">.</span><span class="na">fileExtensions</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">()</span> <span class="o">&amp;</span><span class="n">amp</span><span class="o">;&amp;</span><span class="n">amp</span><span class="o">;</span> <span class="n">lookupPath</span><span class="o">.</span><span class="na">indexOf</span><span class="o">(</span><span class="sc">'.'</span><span class="o">)</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="o">)</span> <span class="o">;</span> <span class="o">}</span></code></pre></figure> <p>org.springframework.web.servlet.mvc.condition.PatternsRequestCondition.java starting at line 223</p> <p>The code, upon being passed to spring mvc as such</p> <pre class="brush:java">getMatchingPattern("/basic2", "/basic2.")</pre> <p>Will end up in the following block because of useSmartSuffixPatternMatch evaluating to false.</p> <pre class="brush:java">boolean hasSuffix = pattern.indexOf('.') != -1; if (!hasSuffix &amp;&amp; this.pathMatcher.match(pattern + ".*", lookupPath)) { return pattern + ".*"; }</pre> <p>This results in the return of “/basic2.<em>” due to the pathMatcher automatically appending .</em> to the pattern. In the end this function will find the correct controller mapping in spite of the added period.</p> <h2>Summary</h2> <ul> <li>Only protect servlets with the &lt;security-constraint/&gt; element</li> <li>Always use /* when defining &lt;security-constraint/&gt;  patterns</li> <li>Always use */** when defining &lt;intercept-url/&gt; patterns</li> </ul> Wed, 02 Apr 2014 00:00:00 -0500 /security/2014/04/02/java-url-pattern-matching-gotchas.html /security/2014/04/02/java-url-pattern-matching-gotchas.html Compiling iOS Libraries using Theos <p>If you want to compile a shared library for iOS, particularly for Mobile Substrate, here are some easy enough steps to do it all via CLI.</p> <h2>Setup</h2> <p>You need Theos installed, normally into /opt/theos. Follow the getting started guide</p> <ul> <li><a href="http://iphonedevwiki.net/index.php/Theos/Getting_Started">http://iphonedevwiki.net/index.php/Theos/Getting_Started</a></li> </ul> <p>Then create a new Theo project. The following is named SampleCrack</p> <pre class="brush:shell">user@myhost&gt; $THEOS/bin/nic.pl NIC 2.0 - New Instance Creator ------------------------------ [1.] iphone/application [2.] iphone/library [3.] iphone/preference_bundle [4.] iphone/tool [5.] iphone/tweak Choose a Template (required): 2 Project Name (required): SampleCrack Package Name [com.yourcompany.samplecrack]: Author/Maintainer Name [c0ffee]: Instantiating iphone/library in samplecrack/... Done.</pre> <p>Then look about</p> <pre class="brush:shell">user@myhost&gt; cd samplecrack user@myhost&gt; ls ./working/samplecrack Makefile SampleCrack.mm control theos</pre> <p>We are going to be using captain hook. Check it out</p> <pre class="brush:shell">user@myhost&gt; git clone git://github.com/rpetrich/CaptainHook.git</pre> <h2>Write</h2> <p>Then let’s write the code, make sure you mod it to your liking, sadly there are no docs for CaptainHook.</p> <pre class="brush:shell">user@myhost&gt; cat &gt; SampleCrack.h</pre> <pre class="brush:c">#import &lt;Foundation/Foundation.h&gt; @interface SampleCrack : NSObject @end</pre> <pre class="brush:shell">user@myhost&gt; cat &gt; SampleCrack.mm</pre> <pre class="brush:c">#import "SampleCrack.h" #import "Foundation/Foundation.h" #import "CaptainHook/CaptainHook.h" #include "notify.h" @implementation SampleCrack -(id)init { if ((self = [super init])){} return self; } @end @class SampleAppViewController; CHDeclareClass(SampleAppViewController); CHOptimizedMethod(0, self, _Bool, SampleAppViewController, isDeviceRooted) { NSLog(@"####### isJailBroken hooked"); // Logging saves lives return true; } CHConstructor { @autoreleasepool { CHLoadLateClass(SampleAppViewController); CHHook(0, SampleAppViewController, isDeviceRooted); // register hook } }</pre> <h2>Build</h2> <p>Then we compile:</p> <pre class="brush:shell">user@myhost&gt; make</pre> <p>If you get an error that looks anything like the following:</p> <pre class="brush:shell">./working/samplecrack/theos/include/IOSurface/IOSurface.h:20:10: fatal error: 'IOSurface/IOSurfaceAPI.h' file not found #include &lt;IOSurface/IOSurfaceAPI.h&gt;</pre> <p>Then try including the IOSurfaceAPI.h in, I had to do this on lion.</p> <pre class="brush:shell">&gt; cp /System/Library/Frameworks/IOSurface.framework/Headers/IOSurfaceAPI.h ./theos/include/IOSurface/</pre> <p>You will probably need to comment out the following lines also:</p> <pre class="brush:c"> /* This call lets you get an xpcobject_t that holds a reference to the IOSurface. Note: Any live XPC objects created from an IOSurfaceRef implicity increase the IOSurface's global use count by one until the object is destroyed. */ // xpc_object_t IOSurfaceCreateXPCObject(IOSurfaceRef aSurface) // IOSFC_AVAILABLE_STARTING(_MAC_10_7, __IPHONE_NA); /* This call lets you take an xpcobject_t created via IOSurfaceCreatePort() and recreate an IOSurfaceRef from it. */ // IOSurfaceRef IOSurfaceLookupFromXPCObject(xpc_object_t xobj) // IOSFC_AVAILABLE_STARTING(_MAC_10_7, __IPHONE_NA);</pre> <p>See <a href="http://stackoverflow.com/questions/10891846/error-compiling-tweak-in-theos">this stack overflow post</a> if you want more detail.</p> <p>You are also going to need a copy of ldid. If you have ports, try there. Brew doesn’t seem to hold a copy (They gave up on it because it fails with clang? Use llvm g++). If those fail check try making it yourself:</p> <pre class="brush:shell">git clone git://git.saurik.com/ldid.git cd ldid git submodule update --init ./make.sh cp -f ./ldid $THEOS/bin/ldid</pre> <p>Make sure you drop it into $THEOS/bin/ldid</p> <pre class="brush:shell">scp ./obj/SampleCrack.dylib root@iphone:/Library/MobileSubstrate/ ssh root@iphone root@iphone's password: iphone:~ root# ldid -S SampleCrack.ldid</pre> <p>Now you’ve got the dependencies, make it</p> <pre class="brush:shell">user@myhost&gt; export SDKVERSION=7.0 user@myhost&gt; make</pre> <p>And you’ve got yourself a nice library</p> <pre class="brush:shell">&gt; file obj/SampleCrack.dylib ~/Documents/Customer/Documents/Elavon/working/samplecrack obj/SampleCrack.dylib: Mach-O universal binary with 2 architectures: [arm_v7: Mach-O arm_v7 dynamically linked shared library] [arm subarchitecture=11: Mach-O arm subarchitecture=11 dynamically linked shared library]</pre> <p> </p> Fri, 25 Oct 2013 00:00:00 -0500 /security/2013/10/25/compiling-ios-libraries-using-theos.html /security/2013/10/25/compiling-ios-libraries-using-theos.html Method patching on iOS applications <h1 id="summary">Summary</h1> <p>These are the steps needed to crack (method patch the jailbreak function) an iOS application to work on a rooted iOS device. This example uses “Sample.app” from within OSX Lion. Mileage may vary.</p> <h1 id="requirements">Requirements</h1> <p>iOS Physical device rooted with cydia and some basic tools:</p> <ul> <li>syslogd - See all console output in /var/log/</li> <li>openssh</li> <li>adv-cmds - Tools like ps, kill, etc</li> <li>GNU debugger - (If GDB is working unexpectedly, install from radare.org)</li> <li>Darwin CC Tools - otool and such</li> </ul> <p>Get the application and install it. This guide is assuming an encrypted IPA (compiled for ARM) distribution.</p> <h2 id="decrypting">Decrypting</h2> <p>In the cases in which the binary is encrypted, you must decrypt. The easiest way to do this is to find a program to do it for you (Google this if you want to skip this step). The surefire (manual) way  to do this is to execute the binary breaking at the end of the decoding stub. This will leave the entire un-ecrypted binary in memory where you can then dump it to disk.</p> <p>Locate application binary within the application folder on the device. e.g.:</p> <figure class="highlight"><pre><code class="language-sh" data-lang="sh">/private/var/mobile/Applications/BC2DA09D-7189-44E8-B190-2EE03BAAAAA8/SampleApp.app/SampleApp</code></pre></figure> <p>Then check application for encryption:</p> <figure class="highlight"><pre><code class="language-shell" data-lang="shell">root# otool <span class="nt">-l</span> SampleApp | <span class="nb">grep</span> <span class="nt">-B5</span> cryptid Load <span class="nb">command </span>11 cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 94208 cryptid 1 <span class="nt">--</span></code></pre></figure> <p>Given <code class="language-plaintext highlighter-rouge">cryptid 1</code> (<code class="language-plaintext highlighter-rouge">0</code> == Not Encrypted). Keep note of the cryptsize, we will use this value later.</p> <p>Verify application is not FAT (That is does not contain multiple versions):</p> <figure class="highlight"><pre><code class="language-sh" data-lang="sh">root# otool <span class="nt">-f</span> SampleApp</code></pre></figure> <p>If the application contains multiple versions, you must use lipo to extract the correct (armv7) version and continue.</p> <p>Given a single encrypted binary:</p> <figure class="highlight"><pre><code class="language-sh" data-lang="sh">root# gdb <span class="nt">--quiet</span> <span class="nt">-e</span> ./SampleApp ... <span class="o">(</span>gdb<span class="o">)</span> <span class="nb">set </span>sharedlibrary load-rules <span class="s2">".*"</span> <span class="s2">".*"</span> none <span class="o">(</span>gdb<span class="o">)</span> <span class="nb">set </span>inferior-auto-start-dyld off <span class="o">(</span>gdb<span class="o">)</span> <span class="nb">set </span>sharedlibrary preload-libraries off <span class="o">(</span>gdb<span class="o">)</span> rb doModInitFunctions Breakpoint 1 at 0x2fe0cece &amp;lt<span class="p">;</span><span class="k">function</span>, no debug info&amp;gt<span class="p">;</span> __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE<span class="p">;</span> <span class="o">(</span>gdb<span class="o">)</span> r Starting program: /private/var/mobile/Applications/BC2DA09D-7189-44E8-B190-2EE03BAAAAA8/SampleApp.app/SampleApp.app/SampleApp Breakpoint 1, 0x2fe0cece <span class="k">in </span>__dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE <span class="o">()</span></code></pre></figure> <p>Dump the binary from memory to disk:</p> <pre class="brush:shell">dump binary memory /var/root/dump 0x2000 0x18000</pre> <p>See <code class="language-plaintext highlighter-rouge">python -c 'print(hex(4096+94208))'</code> from crytpid analysis for the end limit, which is 0x18000 bytes in the example. You will have to substitute your own value in.</p> <p>Then pull the binary off phone and use classdump</p> <pre class="brush:shell">scp root@iphone:/var/root/dump ./SampleApp ./class-dump SampleApp &gt; SampleAppDump</pre> <p>Examine dump for a root checking function (probably returns BOOL or _Bool) with some grep-fu. You will most likely find multiple functions. If the application is more complicated, cycript may help you find it.</p> <h2 id="setup">Setup</h2> <p>You can either follow my other instructions on <a href="http://c0ffee.me/compiling-ios-libraries-using-theos/">compiling iOS libraries using Theos</a> (Reccomended!), or do the following:</p> <ul> <li>Create a Cocoa Touch Static Library XCode Project.</li> <li>Setup dylib compiling for iOS from XCode from the instructions at <a href="http://blog.iosplace.com/?p=33">"Build and use dylib on iOS" by iOS Place</a>. I believe there are other ways to compile outside of XCode, if you have any success there drop a comment.</li> <li>Create private signing certificates if you don't have  a development license by following <a href="http://www.securitylearn.net/2012/12/26/build-ipa-file-using-xcode-without-provisioning-profile/">"Build ipa file using XCode without provisioning profile" by SecurityLearn</a>.</li> </ul> <p>Install MobileSubstrate on the iOS device. You can check if it’s installed by looking for /Library/MobileSubstrate.</p> <h2>Writing</h2> <p>Checkout <a href="https://github.com/rpetrich/CaptainHook">CaptainHook</a> into the project into the project. Mine is called NoCheck saved in ~/Documents/workspace</p> <pre class="brush:shell">user@box&gt; cd ~/Documents/workspace/NoCheck/NoCheck user@box&gt; git clone git://github.com/rpetrich/CaptainHook.git</pre> <p>Write the code itself using the lib. This sample code was referenced from the <a href="http://blog.mdsec.co.uk/2012/05/ios-application-insecurity-whitepaper.html">MDSec iOS doc</a>. Read it if you haven’t.</p> <figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#import "NoCheck.h" #import "Foundation/Foundation.h" #import "CaptainHook/CaptainHook.h" #include</span> <span class="cpf">"notify.h"</span><span class="cp"> </span> <span class="err">@</span><span class="n">implementation</span> <span class="n">NoCheck</span> <span class="o">-</span><span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="n">init</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="n">self</span> <span class="o">=</span> <span class="p">[</span><span class="n">super</span> <span class="n">init</span><span class="p">])){}</span> <span class="k">return</span> <span class="n">self</span><span class="p">;</span> <span class="p">}</span> <span class="err">@</span><span class="n">end</span> <span class="err">@</span><span class="n">class</span> <span class="n">SampleAppViewController</span><span class="p">;</span> <span class="n">CHDeclareClass</span><span class="p">(</span><span class="n">SampleAppViewController</span><span class="p">);</span> <span class="n">CHOptimizedMethod</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">self</span><span class="p">,</span> <span class="kt">_Bool</span><span class="p">,</span> <span class="n">SampleAppViewController</span><span class="p">,</span> <span class="n">isDeviceRooted</span><span class="p">)</span> <span class="p">{</span> <span class="n">NSLog</span><span class="p">(</span><span class="err">@</span><span class="s">"####### isJailBroken hooked"</span><span class="p">);</span> <span class="c1">// Logging saves lives</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="p">}</span> <span class="n">CHConstructor</span> <span class="p">{</span> <span class="err">@</span><span class="n">autoreleasepool</span> <span class="p">{</span> <span class="n">CHLoadLateClass</span><span class="p">(</span><span class="n">SampleAppViewController</span><span class="p">);</span> <span class="n">CHHook</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">SampleAppViewController</span><span class="p">,</span> <span class="n">isDeviceRooted</span><span class="p">);</span> <span class="c1">// register hook</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p> </p> <p>All is needed now compile to dylib by running the application and copying it over. Press the run button to compile. Find it by looking at the left hand bar, mine was located at /Users/user/Library/Developer/Xcode/DerivedData/NoCheck-abheoijxmwkxefbirkgyhsismoxg/Build/Products/Debug-iphoneos</p> <p>Copy the output file to /Library/MobileSubstrate/DynamicLibraries/</p> <pre class="brush:shell">user@box&gt; cd /Users/user/Library/Developer/Xcode/DerivedData/NoCheck-abheoijxmwkxefbirkgyhsismoxg/Build/Products/Debug-iphoneos user@box&gt; scp ./NoCheck.dylib root@iphone:/Library/MobileSubstrate/DynamicLibraries/</pre> <p>Run application and be happy. If you’re not sure it worked tail your syslog output to see if the module is loading (it will do so often) and the NSLog is output.</p> Fri, 19 Apr 2013 00:00:00 -0500 /security/2013/04/19/method-patching-iOS-applications.html /security/2013/04/19/method-patching-iOS-applications.html Pretty Print XML <p>Put this python file in your path to get the following:</p> <p><img src="/assets/media/pxml.png" alt="pretty printed xml" /></p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python </span> <span class="sh">"""</span><span class="s"> Command-line tool to validate and pretty-print XML. Based on `pjson` but without the crap. Usage:: $ echo </span><span class="sh">'</span><span class="s">&amp;lt;bunk atr=</span><span class="sh">"</span><span class="s">hello</span><span class="sh">"</span><span class="s">&amp;gt;world&amp;lt;/bunk&amp;gt;</span><span class="sh">'</span><span class="s"> | pxml &amp;lt;?xml version=</span><span class="sh">"</span><span class="s">1.0</span><span class="sh">"</span><span class="s"> ?&amp;gt; &amp;lt;bunk atr=</span><span class="sh">"</span><span class="s">hello</span><span class="sh">"</span><span class="s">&amp;gt; world &amp;lt;/bunk&amp;gt; Original Author: Igor Guerrero &amp;lt;igfgt1@gmail.com&amp;gt;, 2012 Contributor: Matthew Gill, 2012 </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">xml.dom.minidom</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">pygments</span> <span class="kn">import</span> <span class="n">highlight</span> <span class="kn">from</span> <span class="n">pygments.formatters</span> <span class="kn">import</span> <span class="n">TerminalFormatter</span> <span class="kn">from</span> <span class="n">pygments.lexers</span> <span class="kn">import</span> <span class="n">XmlLexer</span> <span class="k">def</span> <span class="nf">format_xml_code</span><span class="p">(</span><span class="n">code</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Parses XML and formats it </span><span class="sh">"""</span> <span class="n">x</span> <span class="o">=</span> <span class="n">xml</span><span class="p">.</span><span class="n">dom</span><span class="p">.</span><span class="n">minidom</span><span class="p">.</span><span class="nf">parseString</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="k">return</span> <span class="n">x</span><span class="p">.</span><span class="nf">toprettyxml</span><span class="p">()</span> <span class="k">def</span> <span class="nf">color_yo_shit</span><span class="p">(</span><span class="n">code</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Calls pygments.highlight to color yo shit </span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">highlight</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="nc">XmlLexer</span><span class="p">(),</span> <span class="nc">TerminalFormatter</span><span class="p">())</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">code</span> <span class="o">=</span> <span class="nf">format_xml_code</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stdin</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="k">print</span> <span class="nf">color_yo_shit</span><span class="p">(</span><span class="n">code</span><span class="p">)</span></code></pre></figure> <p>The original can be found <a href="https://github.com/igorgue/pjson">here (https://github.com/igorgue/pjson)</a></p> Tue, 11 Dec 2012 00:00:00 -0600 /code/2012/12/11/pretty-print-xml.html /code/2012/12/11/pretty-print-xml.html Derbycon 2012 CTF - Crypto Challenge <p>This was one of my favorite challenges at this year’s CTF. Thanks to the guys who put it on, it was a load of fun and I appreciate all the hard work I know that goes into this sort of thing.</p> <h1 id="the-challenge">The Challenge</h1> <p>Posted on one of the websites was the file <a href="/assets/files/fu2.zip">fu2.zip</a> contained the following files:</p> <figure class="highlight"><pre><code class="language-shell" data-lang="shell">zoidberg% unzip fu2.zip <span class="nt">-d</span> ./fu2 zoidberg% <span class="nb">cd </span>fu2 zoidberg% file ./<span class="k">*</span> ./BouncyCastle.Crypto.dll: PE32 executable <span class="k">for </span>MS Windows <span class="o">(</span>DLL<span class="o">)</span> <span class="o">(</span>console<span class="o">)</span> Intel 80386 32-bit Mono/.Net assembly ./FileEncryptor.exe: PE32 executable <span class="k">for </span>MS Windows <span class="o">(</span>console<span class="o">)</span> Intel 80386 32-bit Mono/.Net assembly ./plain1_encrypted: data ./plain2: ASCII text, with no line terminators ./plain2_encrypted: data zoidberg% <span class="nb">ls</span> <span class="nt">-al</span> ./plain<span class="k">*</span> <span class="nt">-rw-r--r--</span> 1 mgill staff 128 Sep 24 13:14 ./plain1_encrypted <span class="nt">-rw-r--r--</span> 1 mgill staff 112 Sep 17 06:18 ./plain2 <span class="nt">-rw-r--r--</span> 1 mgill staff 128 Sep 24 13:14 ./plain2_encrypted</code></pre></figure> <p>With the following contents of plain2:</p> <figure class="highlight"><pre><code class="language-shell" data-lang="shell">zoidberg% <span class="nb">cat </span>plain2 KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57KC57</code></pre></figure> <p>There are a few clues here if you just go off file names and file sizes, but let’s take the easy route and simply decompile the .NET binary. A quick google search on the md5sum of the BouncyCastle lib tells us it’s unlikely it has been modified so we only want to see what FileEncryptor.exe does. My favorite .net decompiler is <a href="http://www.jetbrains.com/decompiler/">dotPeek</a>, and lucky us .net allows for some awesome code generation.</p> <p><img src="/assets/media/decompiled.png" alt="The view in dotpeek" /></p> <p>After looking through the code we get a better idea on what is going on. We pass in a password, a plain text file, and a output file. The program then encrypts the plain text file with the password, to produce the output. Here are the interesting functions:</p> <figure class="highlight"><pre><code class="language-csharp" data-lang="csharp"><span class="k">public</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">EncryptFile</span><span class="p">(</span><span class="kt">string</span> <span class="n">password</span><span class="p">,</span> <span class="kt">string</span> <span class="n">inFile</span><span class="p">,</span> <span class="kt">string</span> <span class="n">outFile</span><span class="p">)</span> <span class="p">{</span> <span class="kt">string</span> <span class="n">salt</span> <span class="p">=</span> <span class="s">"s@1tValue"</span><span class="p">;</span> <span class="kt">string</span> <span class="n">s</span> <span class="p">=</span> <span class="s">"1234567890123456"</span><span class="p">;</span> <span class="kt">int</span> <span class="n">keySize</span> <span class="p">=</span> <span class="m">128</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">plain</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">readBytesFromFile</span><span class="p">(</span><span class="n">inFile</span><span class="p">);</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">bytes1</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">GenerateKey</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">salt</span><span class="p">,</span> <span class="n">keySize</span><span class="p">);</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">bytes2</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">Encrypt</span><span class="p">(</span><span class="n">plain</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">bytes1</span><span class="p">);</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">writeBytesToFile</span><span class="p">(</span><span class="n">outFile</span><span class="p">,</span> <span class="n">bytes2</span><span class="p">);</span> <span class="p">}</span></code></pre></figure> <figure class="highlight"><pre><code class="language-csharp" data-lang="csharp"><span class="k">public</span> <span class="k">static</span> <span class="kt">byte</span><span class="p">[]</span> <span class="nf">Encrypt</span><span class="p">(</span><span class="kt">byte</span><span class="p">[]</span> <span class="n">plain</span><span class="p">,</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span><span class="p">,</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">iv</span><span class="p">)</span> <span class="p">{</span> <span class="n">PaddedBufferedBlockCipher</span> <span class="n">cipher</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">PaddedBufferedBlockCipher</span><span class="p">((</span><span class="n">IBlockCipher</span><span class="p">)</span><span class="k">new</span> <span class="nf">OfbBlockCipher</span><span class="p">((</span><span class="n">IBlockCipher</span><span class="p">)</span><span class="k">new</span> <span class="nf">AesEngine</span><span class="p">(),</span> <span class="m">128</span><span class="p">));</span> <span class="n">ICipherParameters</span> <span class="n">parameters</span> <span class="p">=</span> <span class="p">(</span><span class="n">ICipherParameters</span><span class="p">)</span><span class="k">new</span> <span class="nf">ParametersWithIV</span><span class="p">((</span><span class="n">ICipherParameters</span><span class="p">)</span><span class="k">new</span> <span class="nf">KeyParameter</span><span class="p">(</span><span class="n">key</span><span class="p">),</span> <span class="n">iv</span><span class="p">);</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">Init</span><span class="p">(</span><span class="k">true</span><span class="p">,</span> <span class="n">parameters</span><span class="p">);</span> <span class="k">return</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">cipherData</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">plain</span><span class="p">);</span> <span class="p">}</span></code></pre></figure> <p>Now we have all the key pieces of information. Our plain2 file, which is 112 bytes of repeating characters (‘KC57’*28) produces plain2_encrypted, at 128 bytes. We have plain1_encrypted, but no plain1. A brute force attack here seems a bit inelegant not to mention being the ballers we are we don’t have time for that shit.</p> <p>Notice that the password is seeded with a salt and the IV is static. Generally speaking the IV should be a noonce value to stop different types of attacks against block encryptions. Static IV’s are bad. The Encrypt() function above shows that we’re using the <a href="http://www.cs.berkeley.edu/~jonah/bc/org/bouncycastle/crypto/modes/OFBBlockCipher.html">OfbBlockCipher</a> or <a href="https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29">Output-FeedBack</a>. OFB is a <a href="https://en.wikipedia.org/wiki/Stream_cipher">stream cipher</a> which generally means the keystream is xor’d with the plaintext value to produce the output. Really what we’re interested in is <a href="http://crypto.stackexchange.com/a/2534">attacks against OFB</a>, especially when the programmer makes the mistake of using a static IV.</p> <p>All the stars align. We have a static IV making the keystreams identical for each encryption and a plaintext and encrypted value pair. This means we can decrypt the plain1_encrypted file without ever needing to know the key!  Simply compute the value of the keystream by xoring the plain2 against the encrypted plain2_encrypted, and apply that keystream to the plain1_encrypted. Voila! Here is a bit of python code to get the job done</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="n">itertools</span> <span class="c1">#take in the plain1 encrypted file and convert to ints </span><span class="n">p1e</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">plain1_encrypted</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">).</span><span class="nf">read</span><span class="p">()</span> <span class="n">p1e_ord</span> <span class="o">=</span> <span class="nf">map</span><span class="p">(</span><span class="nb">ord</span><span class="p">,</span> <span class="n">p1e</span><span class="p">)</span> <span class="c1">#take in the plain2 encrypted file and convert to ints </span><span class="n">p2e</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">plain2_encrypted</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">).</span><span class="nf">read</span><span class="p">()</span> <span class="n">p2e_ord</span> <span class="o">=</span> <span class="nf">map</span><span class="p">(</span><span class="nb">ord</span><span class="p">,</span> <span class="n">p2e</span><span class="p">)</span> <span class="c1">#take in the plain2 file and convert to ints </span><span class="n">p2</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">plain2</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">).</span><span class="nf">read</span><span class="p">()</span> <span class="n">p2_ord</span> <span class="o">=</span> <span class="nf">map</span><span class="p">(</span><span class="nb">ord</span><span class="p">,</span> <span class="n">p2</span><span class="p">)</span> <span class="n">keystream</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span><span class="n">y</span> <span class="ow">in</span> <span class="n">itertools</span><span class="p">.</span><span class="nf">izip_longest</span><span class="p">(</span><span class="n">p2_ord</span><span class="p">,</span> <span class="n">p2e_ord</span><span class="p">,</span> <span class="n">fillvalue</span><span class="o">=</span><span class="mi">0</span><span class="p">):</span> <span class="n">keystream</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">x</span><span class="o">^</span><span class="n">y</span><span class="p">)</span> <span class="n">final</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span><span class="n">y</span> <span class="ow">in</span> <span class="nf">zip</span><span class="p">(</span><span class="n">p1e_ord</span><span class="p">,</span> <span class="n">keystream</span><span class="p">):</span> <span class="n">final</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">chr</span><span class="p">(</span><span class="n">x</span><span class="o">^</span><span class="n">y</span><span class="p">))</span> <span class="k">print</span> <span class="sh">''</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">final</span><span class="p">)</span></code></pre></figure> <p>And if you run it…</p> <figure class="highlight"><pre><code class="language-shell" data-lang="shell">zoidberg% python decrypt.py <span class="nv">KC57KC57KC57KC57FLAG</span><span class="o">=</span>DecryptTheFlagToGetTheKeyLolKC57KC57KC?KC57KC57KC57KC57KC57</code></pre></figure> <p>Success, the flag has been disclosed! While this is a workable solution, I’m not exactly sure how the bytes are properly padded (instead of using 0 in my case) nor am I sure why there are unprintable characters in the decoded stream. You can see them by directly printing the repr of the finalResult object. But it works and the flag is decoded. If you have any input please throw it my way, it would be nice to know if there is any way to improve on it all.</p> <p>Thanks!</p> <p>tl;dr static iv’s are bad and break your crypto</p> Wed, 17 Oct 2012 00:00:00 -0500 /security/2012/10/17/derbycon.html /security/2012/10/17/derbycon.html