Bill Blough

Information Security | Software Development | System Administration

NSA Codebreaker Challenge 2015: Task 2

This is a continuation of my previous post on the NSA Codebreaker Challenge 2015, and covers the second task in the challenge.

Task 2

Through SIGINT we have collected a new message file - this one appears to
have been sent to a field operative in the terrorist organization that is
of particular interest. A key file for this invidiual was collected
previously and should still be valid. We believe that this message may
contain actionable intelligence, so please report back with the message
contents as soon as possible. This task will require you to figure out how
to bypass the access controls built into the program that limit which
recipient can decode each message.

A quick run of the program shows what we’re up against –

user@host:~/nsa_codebreaker_2015/task_2$ ./secret-messenger --reveal --action tier2_msg.txt --symbol tier2_key.pem
Invalid (failed check 4)

NSA Codebreaker Challenge 2015: Background and Task 1

Last year, the National Security Agency held a reverse engineering competition for students. It ran from September 1st to December 31st, and consisted of four tasks. The results page lists the participating schools and students, along with tasks completed, rankings, and times. I represented Florida State University and was able to complete all four tasks in just under 53 hours.

Background Story

NSA has discovered that the leadership of a terrorist organization is using
a new method of communicating secret messages to its operatives in the
field. Intelligence suggests that each member of the organization is
provided a program that can be used to read the messages, and that a
customized cryptographic implementation is used to generate a
public/private key pair, which is then used to authenticate messages from
leadership to each member. 

A copy of the program belonging to a high-ranking operative has been
recovered, along with that individual's key and a text file believed to
contain a hidden message. At first glance, the program appears to simply
check stock information, but this is likely a ruse to make it appear
innocuous. Your mission is to reverse-engineer this software and develop
capabilities to exploit the secret messaging component. There are 4
different tasks for you to complete, with each increasing in difficulty and
building off the previous task(s).

SANS Holiday Hack Challenge 2015 Writeup

Background

In the 2015 SANS Holiday Hack Challenge the goal was to determine the true purpose of the “Gnome In Your Home” product, as well as “Who” was behind its development and the details of their dastardly plot. This is a writeup of my findings and how I arrived at them.

Part 1 - The packet capture

The provided pcap file contained a snapshot of the Gnome’s traffic. Inspecting this in Wireshark made it apparent that there was covert communication traffic masquerading as DNS traffic.

CVE-2014-6440: Heap Overflow in VLC Transcode Module

Executive Summary

VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to overflow buffers on the heap. With a non-malicious input, this could lead to heap corruption and a crash. However, under the right circumstances, a malicious attacker could potentially use this vulnerability to hijack program execution, and on some platforms, execute arbitrary code.

Methodology

This vulnerability was found by fuzzing using CERT’s Basic Fuzzing Framework (BFF) and a sample file from mplayerhq. Testing was initially performed on Debian Sid (x86) using the VLC version 2.1.2-2+b3 from Debian, and later on Windows XP 32-bit using VLC version 2.1.3 from upstream.

After some time, BFF produced a fuzzed file that caused the following crash:

*** Error in `/usr/bin/vlc': free(): corrupted unsorted chunks: 0xb384fd68 *** 
======= Backtrace: ========= 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x75e52)[0xb756be52]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x76b90)[0xb756cb90]
/usr/lib/libvlccore.so.7(+0x7df4b)[0xb7481f4b] 
/usr/lib/vlc/plugins/audio_filter/libmpgatofixed32_plugin.so(+0xb5a)[0xb3466b5a]
/usr/lib/libvlccore.so.7(aout_FiltersPlay+0x131)[0xb7477021] 
/usr/lib/vlc/plugins/stream_out/libstream_out_transcode_plugin.so(+0x579a)[0xb47a979a]
/usr/lib/vlc/plugins/stream_out/libstream_out_transcode_plugin.so(+0x20f8)[0xb47a60f8] 
/usr/lib/libvlccore.so.7(+0xa3ce1)[0xb74a7ce1]
/usr/lib/libvlccore.so.7(+0x3a0bf)[0xb743e0bf]
/lib/i386-linux-gnu/i686/cmov/libpthread.so.0(+0x6cf1)[0xb76b2cf1] 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(clone+0x5e)[0xb75e5c3e]

Testing under valgrind showed multiple invalid writes past the end of allocated heap chunks (heap overflow), and following the execution using gdb confirmed that this was not a false positive.

Root Cause