Tags: sha1 collision pdf

Rating: 3.0

## 104 Easy Pisy ##

(crypto, web)

**Files provided**

- samples.tgz - an archive containing
- echo-ciao.pdf - a PDF with the text "ECHO ciao"
- echo-ciao.sign - signature for echo-ciao.pdf
- execute-ls.pdf - a PDF with the text "EXECUTE ls"
- execute-ls.sign - signature for execute-ls.pdf

**Description**

The target website contained two forms - one to upload a PDF file and have the server sign it, and another one to upload a PDF file with a signature and have the server execute it.

**Solution**

After some testing and viewing the PHP file sources (via public debug parameter), it was clear that the server is using ImageMagick to convert the PDF file into a PPM bitmap, then using ocram to read the text visually. The signing was done via openssl_sign and openssl_verify, using the default SHA algorithm, but then encrypting the signature using RSA. Uploading the given EXECUTE ls file with its proper signature revealed that the public and private key are in the same directory, but the access was forbidden. There was also a flag file, likewise inaccessible.

I spent way too long trying to figure out something clever for this one. I knew about the SHAttered attack but for some reason I thought it still takes a long time to actually construct two matching files. So, in my fumbling around I learnt a bunch about how PDFs work, and was trying / considering these attack vectors:

- length extension attack - impossible since the signature is encrypted
- make the PDF file include flag via filespec - PDF embedded files can't actually be displayed as content (AFAIK)
- openssl_verify wasn't checked properly, trip it up by sending malformed signature? - no luck
- OCR exploit - ???

So, in the end … Simply use [sha1collider](https://github.com/nneonneo/sha1collider). Make a PDF that just shows "EXECUTE cat flag", then python3 collide.py execute-ls.pdf execute-catflag.pdf and done. At least I learnt something! OOO{phP_4lw4y5_d3l1v3r5_3h7_b35T_fl4g5}