Crypto Challenge

Description

Eve did have a legitimate restricted access to a file located on cc.dbzteam.org, anytime she wanted consult this file she issued this request http://cc.dbzteam.org:9000/p/eve/restricted.txt?st=aSYSRnsL0by4M1l1tbPcrQ&e=1295613171 all was working perfectly fine until the date of 1-21-2011 where her link stopped working with the web server returning an error code 403 on any of her attempts.

Furious, she decided to understand what was going on and how to bypass this intolerable restriction. She quickly found out that the underlying server was a modified version of the Nginx web server.

$ curl --head cc.dbzteam.org:9000
HTTP/1.1 200 OK
Server: nginx-modified/0.9.4
Date: Tue, 25 Jan 2011 14:04:10 GMT
Content-Type: text/html
Content-Length: 176
Last-Modified: Mon, 24 Jan 2011 23:38:08 GMT

She further learned that this particular service was provided by the secure link module. This module uses a server secret to authenticate the URI /p/eve/restricted.txt mixed with a timestamp 1295613171 (which explain how her access was revoked) to produce an authentication token. This authenticator takes the form of a secret MD5 hash aSYSRnsL0by4M1l1tbPcrQ assigned by the server to Eve. With this initial set of informations along with the ones provided below in the following section, would you help Eve in accessing and reading restricted.txt as she previously was able to do?

Ressources and informations

Consider the following additional ressources and informations.

• Server's configuration server.conf

  server {
     listen       9000;
     server_name  cc.dbzteam.org;
  
     access_log   /var/log/nginx/org.dbzteam.seb.challenge.log;
  
     root		/var/www/cc;
  
     location / {
        index  index.html;
     }
  
     location /p/ {
        secure_link	$arg_st,$arg_e;
        secure_link_md5   <pass>$uri$arg_e;
  
        if ($secure_link = "") {
            return 403;
        }
  
        if ($secure_link = "0") {
            return 403;
        }
  
        rewrite ^ /p/restricted.txt break;
     }
  }
  

• Secure link's documentation
• The function ngx_http_secure_link_variable() in ngx_http_secure_link_module.c where the secure link functionality is implemented
• The target server, running at address http://cc.dbzteam.org:9000
• Nginx's compilation directives used to compile a modified version of nginx-0.9.4

Note

The challenge is implemented on a slightly but fatally modified / weakened version of Nginx, that means that this exploit does not affect the real Nginx server. Although as you will observe this module would be better off not presenting no such kind of risks at all. For not spoiling this challenge the issues highlighted in this exercice will only be discussed in depth later in the solution, not now.

Solution

here is the solution with code and with a short description.