Showing posts from March, 2009

CodeGate 2009's Challenge 18 - Diffie-Hellman parameter tampering case study

1 Introduction
Last week I joined team CLGT to take part in the CodeGate 2009 organized by BeistLab. There's 21 challenges. This post is about challenge 18 which, IMHO, is one of the most interesting. You can download full report from CLGT here.

There was only two teams could nail #18, and, unfortunately, we were not one of them. We were very close, just minutes away, from the final solution, but could not manage to solve it before the contest ended. Anyway, we're writing this writeup because we like it.

This is a cryptography challenge. The objective is to decrypt the communication between a server and a client, which play a protocol involving RSA digital signature algorithm [1], Diffie-Hellman Key Protocol Agreement [2], and AES block cipher [3].

Section 2 describes the protocol and its setting in detail. Section 3 discusses some vulnerabilities of the protocol. Section 4 describes how we nail it. Section 5 discusses some ways to fix it. Section 6 concludes.
2 The Protocol
As we s…

Spot the vulnerability challenges

Earlier this week, choc_, a friend of mine, started posting several small C programs to HVAOnline, and asking folks at that popular security forum to find, exploit, and fix the vulnerabilities in those programs.

I found those challenges are very interesting, and some of are quite difficult to solve if you don't understand how C stores, and interprets integer values. They remind me of the great code auditing book "The art of software security assessment" in which the authors dedicate a whole chapter on C language issues, esp. those occur when you use integers in the wrong way.

Here are some of the challenges. I hope you find them interesting.

Challenge 1
int main(int argc, char **argv) {
if (argc != 3)
return 1;
unsigned short int x = strlen(argv[1]) + strlen(argv[2]);
char *buf = (char *)malloc(x);
strcpy(buf, argv[1]);
strcat(buf, argv[2]);

Challenge 2


int main(int argc, char **argv)
int x, y;
if (argc != 3)
return 0;
x …