Secuinside Quals 2014: Javascript Jail (Misc 200)
01 Jun 2014 in Security (Reading time: 4 minutes)The challenge was pretty straightforward: connect to a service that’s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!javascript
function checker(flag, myRand) {
return function (rand) {
function stage1() {
var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
var b = rand(a.length);
if (!Array.isArray(b)) {
print("You're a cheater!");
return false;
}
if (b.length < a.length) {
print("hmm.. too short..");
for (var i = 0, n = a.length - b.length; i < n; i++) {
delete b[b.length];
b[b.length] = [Math.random() * 0x10000];
}
} else if (b.length > a.length) {
print("hmm.. too long..");
for (var i = 0, n = b.length - a.length; i < n; i++)
Array.prototype.pop.apply(b);
}
for (var i = 0, n = b.length; i < n; i++) {
if (a[i] != b[i]) {
print("ddang~~");
return false;
}
}
return true;
}
function stage2() {
var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
var b = rand(a.length);
if (!Array.isArray(b)) {
print("You're a cheater!");
return false;
}
if (b.length < a.length) {
print("hmm.. too short..");
for (var i = 0, n = a.length - b.length; i < n; i++) {
delete b[b.length];
b[b.length] = [Math.random() * 0x10000];
}
} else if (b.length > a.length) {
print("hmm.. too long..");
for (var i = 0, n = b.length - a.length; i < n; i++)
Array.prototype.pop.apply(b);
}
for (var i = 0, n = b.length; i < n; i++) {
if (a[i] != b[i]) {
print("ddang~~");
return false;
}
}
return true;
}
print("stage1");
if (!stage1())
return;
print("stage2");
if (!stage2())
return;
print("awesome!");
return flag;
};
}
As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.
So, how to solve? I wanted to control as much of the environment as I possibly could, so I started looking for the critical functions. I quickly realized that if we could control Math.random, stage 1 becomes trivial. It turns out that, yes, you can redefine functions on native code objects, so a mere Math.random = function() {return 1;};
takes care of this. Unfortunately, stage 2 doesn’t use Math.random, so how do we control it? Well, we have Array.apply and Array.map in use to create the a
array. Replacing those as well gives us:
1
2
3
4
5
6
7
8
9
10
11
12
13
#!javascript
Math.random = function(){print('Random called.'); return 1;};
f = function(l) {
print(l);
var foo = Array(l);
for (i=0;i<foo.length;i++) {
foo[i] = Math.random() * 0x10000;
}
foo.map = function(){return foo};
return foo;
};
Array.apply = function() { return f(30); };
check(f);
And we receive our flag.