Monday, 16 November 2015

Vulnerability in OJs

23rd of May, 2015 00:50

That day :')
I already had a piece of code which I wrote 1 week ago and which was capable of reading files on ideone with system calls. But the problem was, I don't have sufficient permission to read every file *I was not the root user*. New idea was to call own process continuously so that I can make system out of run of its resources. And It will definitely work because I have enough permission to execute binary of my own parent process.

I was testing on ideone only that time; using system call to get shell access was very clever idea but I was not the root user so I had restriction on the commands which I can execute. My idea of executing own process continuously itself had some hurdles.

Q: What is the location of compiled code binary?
Well, It is really difficult to this answer that time, Because I had no idea what is the name of file and I had limitations to the output screen buffer, So; I can't really use search option. What's next? I had only two ways, 1) Brute 2) Guess; I started making some guess. I was really lucky that time; I got the correct path by just making few guesses.

Q: How I confirmed that the path is correct?

Okay, very first thing I checked was file creation time; But that doesn't prove anything at all; I need a strong evidence to prove my statement correct. next? I edited my code and declared a static global int variable with a value 0xDEADCAFE. Great! Now I went back to that directory and tried to search these four bytes in the compiled binary. Awesome! It said one match found.

My final code to execute own process continuously on the server.

Code was working perfectly on ideone and codechef; So I immediately inboxed an email to their security team. Clock was striking 04:00 and I was really excited to test my code on other OJs like Hackerrank, Codeforces and HackerEarth.

Started doing the same thing with Hackerrank website. But no luck this time. They have things working in a very beautiful way!

Take a look at this directory:
We have everything here; Input file, output file and compiled binary. Can we read input files? Yes!! But No use :/ we have no buffer screen to write test cases at the time of submission. Now what? Sleep :p

After enough sleep I went back to work. Here's the explanation of problem.
We have access to test cases right? But these are the test files on which current code is being processed so it means no hidden test cases are listed in this directory.

Q: Is there any possibility that on submission, It will have hidden test files too in this directory?
Umm, maybe; Lets try. I just modified my C code this way that It creates a runtime error if there are more input*****.in files in the directory.
Result? Runtime Error :D (First time in my life when I was happy with a runtime error :p)

Q: Can I get a buffer to transfer data from runtime submission to website screen?
I can't, Submissions has no output window.

Q: Any workaround?
Meanwhile I was playing a bit with commands,  And guess what? I was able to create directories in some corner of server. Great! But once I created the file I can't read it from other process :/ So no use? Nah!
Finally the Exploit: I will create files and folder with the same name as that of test cases!!!

Proof Of Concept

I reported it as soon as I completed the making of proof of concept video. Thanks to Manraj sir for contact details :D
I was feeling lazy to test other OJs so I planned to wait for the reply of these two mails and will exploit other websites later. (HackerEarth was vulnerable, while CodeForces was not)
Bad decision! Next time when I went to HackerEarth It was already patched! God knows how.