Monday, 16 November 2015

Vulnerability in OJs

23rd of May, 2015 00:50

That day :')
I already had a piece of code which I wrote 1 week ago and which was capable of reading files on ideone with system calls. But the problem was, I don't have sufficient permission to read every file *I was not the root user*. New idea was to call own process continuously so that I can make system out of run of its resources. And It will definitely work because I have enough permission to execute binary of my own parent process.

I was testing on ideone only that time; using system call to get shell access was very clever idea but I was not the root user so I had restriction on the commands which I can execute. My idea of executing own process continuously itself had some hurdles.

Q: What is the location of compiled code binary?
Well, It is really difficult to this answer that time, Because I had no idea what is the name of file and I had limitations to the output screen buffer, So; I can't really use search option. What's next? I had only two ways, 1) Brute 2) Guess; I started making some guess. I was really lucky that time; I got the correct path by just making few guesses.

Q: How I confirmed that the path is correct?

Okay, very first thing I checked was file creation time; But that doesn't prove anything at all; I need a strong evidence to prove my statement correct. next? I edited my code and declared a static global int variable with a value 0xDEADCAFE. Great! Now I went back to that directory and tried to search these four bytes in the compiled binary. Awesome! It said one match found.

My final code to execute own process continuously on the server.

Code was working perfectly on ideone and codechef; So I immediately inboxed an email to their security team. Clock was striking 04:00 and I was really excited to test my code on other OJs like Hackerrank, Codeforces and HackerEarth.

Started doing the same thing with Hackerrank website. But no luck this time. They have things working in a very beautiful way!

Take a look at this directory:
We have everything here; Input file, output file and compiled binary. Can we read input files? Yes!! But No use :/ we have no buffer screen to write test cases at the time of submission. Now what? Sleep :p

After enough sleep I went back to work. Here's the explanation of problem.
We have access to test cases right? But these are the test files on which current code is being processed so it means no hidden test cases are listed in this directory.

Q: Is there any possibility that on submission, It will have hidden test files too in this directory?
Umm, maybe; Lets try. I just modified my C code this way that It creates a runtime error if there are more input*****.in files in the directory.
Result? Runtime Error :D (First time in my life when I was happy with a runtime error :p)

Q: Can I get a buffer to transfer data from runtime submission to website screen?
I can't, Submissions has no output window.

Q: Any workaround?
Meanwhile I was playing a bit with commands,  And guess what? I was able to create directories in some corner of server. Great! But once I created the file I can't read it from other process :/ So no use? Nah!
Finally the Exploit: I will create files and folder with the same name as that of test cases!!!

Proof Of Concept

I reported it as soon as I completed the making of proof of concept video. Thanks to Manraj sir for contact details :D
I was feeling lazy to test other OJs so I planned to wait for the reply of these two mails and will exploit other websites later. (HackerEarth was vulnerable, while CodeForces was not)
Bad decision! Next time when I went to HackerEarth It was already patched! God knows how.

Tuesday, 10 November 2015

First Post

As the title suggests; This is my first blog post. I don't know from where I should start, But I am going to share every experience of my life with the reader. And I will be happy to hear back. Before you move on reading my blog, One thing I state clearly that my english is not good so please ignore errors. Thanks :D !

I am Aman Priyadarshi, a computer enthusiast who loves to write software and hunt bugs; That's All!

Let's start from the beginning.... It was jan 11, 2007 when I first time booted up a computer. windows XP dual core; Latest that time. The moving cursor excited me and way computer was doing so many things at one time. That time I played a lot with mspaint; Guess what? I started photo editing with mspaint, sounds unbelievable? photo editing with mspaint!! I was only in 6th standard what you can expect more? So photo editing (:p) changing each pixel color manually to its background pixel color!! My first bad experience with computer was when I accidently moved all excel sheet (which was on desktop) to Recycle bin; And I was afraid to tell this to my father. (I thought that I deleted all files) later on, papa told me about Recycle bin (:p)
Okay fast forward a bit; The first time I logged on Internet was back in 2009; Another exciting thing!! I use to search for games online/offline multiplayer/AI etc; The first 3D game I played was "Spiderman"; But slowly my mind start diverging from games, I started searching for "How to make softwares" (I was not good at googling that time :p) I followed series of tutorials and articles to get some concept; And I started my journey with VB.NET made few (crappy xD) softwares. This is how I started my development field.

Hacking is something that sounds very interesting to anyone; But being good at it is also difficult. During googling tutorials, I use to search for "Notepad virus" "batch virus" "hacking facebook account" (crap xD) tutorials too! Following those tutorials was fun xD
Hacker is someone who knows really in depth of computer working. But I continued searching some hacking keywords and hackers blog. Guess what? I failed lot of times to understand some basic concepts until I seriously took this leaving behind my development, Because I was failing at that too!
At last I succeed in understanding working concepts.

Things took a long nap due to board exams, followed by JEE preparation...But I was still continuing development (only). I continued my Hacking profile only after getting into the college; basically After the hacking workshop (by IEEE-NSIT :p) which motivated me to explorer this field again. This is basically how I continued my hacking profile, And I am really enjoying this now! Thanks for that motivation :D !

Coder? yeah, I started sport programming too after getting into the college; october 2014 I guess; The first time I solved any competitive programming question. And after nearly in one year I explored this field a lot. These ACs TLEs WAs are something that keep coder busy in solving problems. But Guess what? I am not continuing this profile anymore, I failed more than I succeed... leave. :)

I will keep updating this blog with some of my experiences and development diaries :D !

I didn't mention anything about "Atom OS" development in this, because it is a different story :p