This year, I had the honour to write some challenges for the BSidesTLV conference :^)
I wrote two challenges: ‘Rainy Redis’(Pwn) and ‘Speed Trivia’(Web), below is the intended solution / takeaways.
TL;DR: I wanted to create a fun pwn challenge that can be solved in a reasonable timeframe for a CTF competition, but also involves abusing interpreters, corrupting structures & has real-life impact[0]. So I forked a Redis server and added a new method for Lua(called
string.paste()
), which gives the CTF player arbitrary write-what-where primitive on the heap. From there, the player should craft a payload written in Lua in order to corrupt the heap in a way that allows to leak the flag from memory.
Category: Pwn
The task:
- The relevant sources/dockerfile were provided (for testing/writing exploits locally). here
- A Redis server, configured with ACL Rules (allows EVAL only)
- A (slightly) modified version of a Lua interpreter
Lua and Redis
Every Redis server is shipped with a tiny Lua interpreter, containing some basic modules:
This Lua interpreter in Redis allows to perform database transactions.
Because the usage of lua is intended only for redis-related operations(GET
/SET
/etc.): basic lua methods like os.execute()
are not permitted. In fact, Redis made sure to sandbox the Lua environment in a way that older methods to abuse Lua(such as abusing lua bytecode with load
[1]) simply would not work.
This leaves the attacker with one option: Finding vulns in the underlying implementation of Lua(written in C). Examples for older articles about the subject:
- Abusing
loadstring
: Redis EVAL Lua Sandbox Escape - Vulnerabillities in the
cmsgpack
Lua library: Redis Lua scripting: several security vulnerabilities fixed
Challenge Analysis
In the zip file that was provided, there is a Dockerfile which:
- Fetches the sources of a redis server
- Patches the code (with two
.patch
files which we will review soon) - Running
make
to compile the redis server - Launches the redis server with an ACL rule that allows only executing EVAL commands and nothing else.
As expected from a CTF chall, the vulnerabillity was inserted using the .patch
files.
Below is a description of the changes that were made to the Redis server:
p1_lua.diff
A new method was added to the string
Lua library, called string.paste
:
As can be seen above, there is mo boudary check before the memcpy
→ which gives us a write-what-where primitive whenever we’re using the string.paste
lua method. Moreover, the descriptive error message of the function gives us a big hint on how to place our arguments when crafting the final payload (“string.paste expects 4 arguments(str1, str2, len_to_paste, skip)”).
p2_scripting_init.diff
In this patch, we added some a hard-coded Lua script that will run during the redis server startup. This loop will run 1000 times and concat the flag’s content with itself. The purpose of this is to trigger memory allocations, ‘spray’ the heap and create copies of the flag in memory.
This also gives the CTF player another hint about the goal: you don’t really have to pop a shell(although that’d be awesome), what you want to aim for is a memory leak.
Let’s pwn
Possible Solutions
Lua’s string.paste
could be abused to fetch the flag in number of ways:
- You can do some heap feng shui (based on size of chunks & calculating offsets, example)
- You can corrupt a Lua-specific type/struct in order to elevate your write primitive into a read primitive & extract the flag from memory.
- Lastly, you can also pop a shell and extract
/proc/self/mem
In this post, we will focus on the 2nd approach. Mainly since the writeup is intended to be beginner-friendly. Also, the 3rd approach will not fit in a single blog-post anyway(last time I tried it with a different interpreter, it costed me 7 long chapters and some sleepless nights).
The TString
struct
Since the redis’ Lua interpreter was modified in the string
module, it’s worth to do some quick research and peek on how strings are represented in Lua.
Below is the TString
structure layout:
Right after the len
property: the string begins. It is used as a prefix to understand the length of the string.
Visually, the following Lua variable:
Will be represented in memory like that:
+-------------------+---------------+----------+---------------+-----------+--------------------------+
size | | 8 bytes | 12 bytes |
+-------------------+---------------+----------+---------------+-----------+--------------------------+
| | | | | | |
description | ...heap data... | CoommonHeader | lu_byte | unsigned int | size_t | ...the string itself |
| | fields | reserved | hash | len | |
+--------------------------------------------------------------+-----------+--------------------------+
value | random stuff | <not relevent for this post> | 12 | "Hello world!" |
+--------------------------------------------------------------+-----------+--------------------------+
Hacking a TString
We can use string.paste()
to ‘paste’ 8 bytes from one string to another in a negative offset of -8
, which will overwrite the len
of the TString struct.
By doing that, we are making the string length to turn from 12 to a very large number.
Now because the length of foo
is a lot bigger, it will disclose the Hello World!
string and anything that comes after it. In other words, you just elevated your ‘blind write-what-where’ abillity into an arbitrary read.
Quite an awesome technique, btw I didn’t re-invent the wheel, this technique(spoofing a string length) is actually a common thing that pwners are trying to achieve when breaking the native layer of a language interpreter[2].
Leaking the flag from memory
Below is the solve.lua
script:
Output:
$ ./redis-cli --user default --pass default-pwd -h rainy-redis.ctf.bsidestlv.com --eval solve.lua
"BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n
-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-
cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w
0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}BSide
sT"
Flag: BSidesTLV2021{w0ah-r3d1s-cl0uds-c4n-bl33d-t00}
I hope you find this challenge interesting as much as I did :)