123Line blog explosion

Lets find out whats going on in this world

Also browse our products

As the author of the Cow Say What? challenge from this year’s BSidesSF CTF, I
got a lot of questions about it after the CTF ended. It’s both surprisingly
straight-forward but also a very little-known issue.

The challenge was a web challenge – if you visited the service, you got a page
providing a textarea for input to the cowsay
program, as well as a drop down for the style of the cow saying something
(plain, stoned, dead, etc.). There was a link to the source code, reproduced
here:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122





package main

import (
	"fmt"
	"html/template"
	"io"
	"log"
	"net/http"
	"os"
	"os/exec"
	"regexp"
)

const (
	COWSAY_PATH = "/usr/games/cowsay"
)

var (
	modeRE = regexp.MustCompilePOSIX("^-(b|d|g|p|s|t|w)$")
)

// Note: mode must be validated prior to running this!
func cowsay(mode, message string) (string, error) {
	cowcmd := fmt.Sprintf("%s %s -n", COWSAY_PATH, mode)
	log.Printf("Running cowsay as: %s", cowcmd)
	cmd := exec.Command("/bin/sh", "-c", cowcmd)
	stdin, err := cmd.StdinPipe()
	if err != nil {
		return "", err
	}
	go func() {
		defer stdin.Close()
		io.WriteString(stdin, message)
	}()
	outbuf, err := cmd.Output()
	if err != nil {
		return "", err
	}
	return string(outbuf), nil
}

func checkMode(mode string) error {
	if mode == "" {
		return nil
	}
	if !modeRE.MatchString(mode) {
		return fmt.Errorf("Mode must match regexp: %s", modeRE.String())
	}
	return nil
}

const cowTemplateSource = `
<!doctype html>
<html>
	<h1>Cow Say What?</h1>
	<p>I love <a href='https://www.mankier.com/1/cowsay'>cowsay</a> so much that
	I wanted to bring it to the web.  Enjoy!</p>
	{{if .Error}}
	<p><b>{{.Error}}</b></p>
	{{end}}
	<form method="POST" action="/">
	<select name="mode">
		<option value="">Plain</option>
		<option value="-b">Borg</option>
		<option value="-d">Dead</option>
		<option value="-g">Greedy</option>
		<option value="-p">Paranoid</option>
		<option value="-s">Stoned</option>
		<option value="-t">Tired</option>
		<option value="-w">Wired</option>
	</select><br />
	<textarea name="message" placeholder="message" cols="60" rows="10">{{.Message}}</textarea><br />
	<input type='submit' value='Say'><br />
	</form>
	{{if .CowSay}}
	<pre>{{.CowSay}}</pre>
	{{end}}
	<p>Check out <a href='/cowsay.go'>how it works</a>.</p>
</html>
`

var cowTemplate = template.Must(template.New("cowsay").Parse(cowTemplateSource))

type tmplVars struct {
	Error   string
	CowSay  string
	Message string
}

func cowsayHandler(w http.ResponseWriter, r *http.Request) {
	vars := tmplVars{}
	if r.Method == http.MethodPost {
		mode := r.FormValue("mode")
		message := r.FormValue("message")
		vars.Message = message
		if err := checkMode(mode); err != nil {
			vars.Error = err.Error()
		} else {
			if said, err := cowsay(mode, message); err != nil {
				log.Printf("Error running cowsay: %v", err)
				vars.Error = "An error occurred running cowsay."
			} else {
				vars.CowSay = said
			}
		}
	}
	cowTemplate.Execute(w, vars)
}

func sourceHandler(w http.ResponseWriter, r *http.Request) {
	http.ServeFile(w, r, "cowsay.go")
}

func main() {
	addr := "0.0.0.0:6789"
	if len(os.Args) > 1 {
		addr = os.Args[1]
	}
	http.HandleFunc("/cowsay.go", sourceHandler)
	http.HandleFunc("/", cowsayHandler)
	log.Fatal(http.ListenAndServe(addr, nil))
}

There’s a few things to unpack here, but probably most significant is that
the cowsay output is produced by invoking an external program. Notably, it
passes the message via stdin, and the mode as an argument to the program. The
entire program is invoked via sh -c, which makes this similar to the
system(3) libc function.

The mode is validated via a regular expression. As Jamie Zawinski was opined
(and Jeff Atwood has commented
on):

Some people, when confronted with a problem, think “I know, I’ll use
regular expressions.” Now they have two problems.

Well, it turns out we do have two problems. Our regular expression is given by
the statement:

1





modeRE = regexp.MustCompilePOSIX("^-(b|d|g|p|s|t|w)$")

We can use a tool like regex101.com to play
around with our expression. Specifically, it appears that it should consist of
a - followed by one of the characters separated by pipes within the
parentheses. At first, this appears pretty limiting, however, if we examine the
Go regexp documentation, we might
notice a few oddities. Specifically, ^ is defined as “at beginning of text or
line (flag m=true)” and $ as “at end of text … or line (flag m=true)”. So
apparently two of our special characters have different meanings depending on
some “flags”.

There are no flags in our regular expression, so we’re using whatever the
defaults are. Looking at the documentation for
Flags, we see that there are
two default sets of flags: Perl and POSIX. Slightly strangely, the
constants use an inverted meaning for the m flag: OneLine, which causes the
regular expression engine to “treat ^ and $ as only matching at beginning and
end of text”. This flag is not included in POSIX (in fact, no flags are),
so in a POSIX RE, ^ and $ match the beginning and end of lines
respectively.

Our test for the Regexp to match is
MatchString, which is
documented as:

MatchString reports whether the string s contains any match of the regular
expression re.

Note that the test is “contains any match”. If ^ and $ matched beginning
and end of input, that would require the entire string to match, but since
they are matching beginning and end of line, so long as the input contains a
line matching the regular expression, then MatchString will return true.

This now means we can pass arbitrary input via the mode parameter, which
will be directly interpolated into the string passed to sh -c. Put another
way, we now have a Command
Injection vulnerability.
We just need to also include a line that matches our regular expression.

To send a parameter containing a newline, we merely need to URL encode
(sometimes called percent encoding) the character, resulting in %0A. This can
be exploited with a simple cURL command:

1
2
3





curl 'https://cow-say-what-473bf31e.challenges.bsidessf.net/' 
  -H 'Content-Type: application/x-www-form-urlencoded' 
  --data-raw 'mode=-d%0acat flag.txt #&message=foo'

The -d%0a matches the regular expression, then we have a command injected
(cat flag.txt) and start a comment (#) to just ignore the rest of the
command.

1
2
3
4
5
6
7
8
9





 _____
< foo >
 -----
           ^__^
           (xx)_______
            (__)       )/
             U  ||----w |
                ||     ||
CTF{dont_have_a_cow_have_a_flag}
BOOK AN ONSITE ENGINEER/INSTALLER

Subscribe Our Newsletter.

What is more interesting is if you find out about  all the existing new things we are up to