Time is of the Essence
From time to time, a sidechannel vulnerability pops up in various applications.
Most of them use timing as the sidechannel to reveal something.
In this training challenge you have to exploit a simple password comparison.
I have added sleeps to make the challenge solveable more easily. If you think it would be solveable without the sleeps, contact me.
Again you are given
the source, also as
highlighted version.
Thanks go to
tehron and
livinskull for testing the challenge.
Good luck!
GeSHi`ed PHP code for
timing1/vulnerable.php 1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
60 | <?php
#########################
### ALL VULNERABLE?!? ###
#########################
$answer = (string)@$_POST['answer'];$password = require 'password.php';
# Check password
return utf8_stringCompare($password, $answer);
###########
### Lib ###
###########
/**
* UTF-8 string comparison method. * Why is there no mb_strcmp() function?
*
* @version 0.2
* @author gizmore
* * @todo return distance between those two strings for sorting.
* @todo return true on same glyphs but different codepoints by normalizing the strings first.
*
* @param string $a
* @param string $b * @return boolean
*/
function utf8_stringCompare($a, $b)
{
# If length is not the same we can return false early. $len_a = mb_strlen($a);
$len_b = mb_strlen($b);
if ($len_a !== $len_b)
{
return false; }
usleep(10000); # Training emulate sidechannel
# We have to check further! for ($i = 0; $i < $len_a; $i++)
{
# Next char
$char_a = mb_substr($a, $i, 1);
$char_b = mb_substr($b, $i, 1);
# Compare
if ($char_a !== $char_b)
{
return false; # Char $i mismatched }
usleep(10000); # Training emulate sidechannel
continue; # Char $i matched }
return true; # The strings are the same
}
|
© 2020, 2021, 2022, 2023 and 2024 by
gizmore