Username: 
Password: 
Restrict session to IP 
Questions  |  score: 4  |  5.13 6.73 8.40 |  Solved By 37 People  |  4356674 views  |  since Oct 12, 2020 - 15:38:04

Training: Time is of the Essence (Training, Coding, Exploit)

Time is of the Essence
From time to time, a sidechannel vulnerability pops up in various applications.
Most of them use timing as the sidechannel to reveal something.
In this training challenge you have to exploit a simple password comparison.
I have added sleeps to make the challenge solveable more easily. If you think it would be solveable without the sleeps, contact me.

Again you are given the source, also as highlighted version.

Thanks go to tehron and livinskull for testing the challenge.

Good luck!
GeSHi`ed PHP code for timing1/vulnerable.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
60
<?php
#########################
### ALL VULNERABLE?!? ###
#########################
$answer = (string)@$_POST['answer'];$password = require 'password.php';
 
# Check password
return utf8_stringCompare($password, $answer);
 ###########
### Lib ###
###########
/**
 * UTF-8 string comparison method. * Why is there no mb_strcmp() function?
 * 
 * @version 0.2
 * @author gizmore
 *  * @todo return distance between those two strings for sorting.
 * @todo return true on same glyphs but different codepoints by normalizing the strings first.
 * 
 * @param string $a
 * @param string $b * @return boolean
 */
function utf8_stringCompare($a, $b)
{
    # If length is not the same we can return false early.    $len_a = mb_strlen($a);
    $len_b = mb_strlen($b);
    if ($len_a !== $len_b)
    {
        return false;    }
    
    usleep(10000); # Training emulate sidechannel
    
    # We have to check further!    for ($i = 0; $i < $len_a; $i++)
    {
        # Next char
        $char_a = mb_substr($a, $i, 1);
        $char_b = mb_substr($b, $i, 1);        
        # Compare
        if ($char_a !== $char_b)
        {
            return false; # Char $i mismatched        }
        
        usleep(10000); # Training emulate sidechannel
        
        continue; # Char $i matched    }
    
    return true; # The strings are the same
}
 
Your solution for Training: Time is of the Essence
Answer
© 2020, 2021, 2022, 2023 and 2024 by gizmore