Common Vulnerabilities & Exposures, so-called CVE, is a dictionary of system vulnerabilities that has been disclosed to the public. Normally, it consists of CVE-ID, a description, and a list of references. Specifically speaking, the CVE-ID specifies the identity of a particular CVE, the description field explains the detail of this CVE, and the references list all reports from each department that found this CVE. In this presentation, we are going to explore the latest CVE, CVE-2021-3156. It reported that the command “sudoedit -s” and any command that ends with a single backslash character will mistakenly promote the user’s permission as well as the root.
from the title of the challenge, I could know that the exploit is most likely on the client side, which is the web page of the challenge. After open the web page provided in the description, it’s a simple login form asking for a credential. Since it’s a web page, I open dev tool in Chrome to look at the source. And then, I discoverd the following JS code. The js is to valid the string input from the form. and valid the string by spliting the string. So just append the string together would be the flag I need(at the order of the splitting).
function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(0, split) == 'pico') {
if (checkpass.substring(split*6, split*7) == '723c') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(split*4, split*5) == 'ts_p') {
if (checkpass.substring(split*3, split*4) == 'lien') {
if (checkpass.substring(split*5, split*6) == 'lz_7') {
if (checkpass.substring(split*2, split*3) == 'no_c') {
if (checkpass.substring(split*7, split*8) == 'e}') {
alert("Password Verified")
}
}
}
}
}
}
}
}
else {
alert("Incorrect password");
}
}
the flag is picoCTF{no_clients_plz_7723ce}(the reassemble of the flag could be done by a simple program, but it’s just very short string, I just glued it together by hand).
func minusValue(a, b int) func(int) int {
fmt.Println("this is from minusValue, and a is", a, "b is", b)
sum := a + b
return func(para int) int {
sum += para
fmt.Println("this is from inner func and sum is", sum)
return sum
}
}
我直接使用minusValue(1,2)调用它, 那么控制台只会输出this is from minusValue, and a is 1 b is 2. 这里大家都理解. 当我用下面的方法调用, 就体现出了闭包的另一个特性, 闭包匿名函数中返回的变量只要还有reference在用, 那么它就会一直存在到内存中, 请看下面的调用和结果输出:
f := minusValue(1,2)
f(10)
f(10)
fmt.Println("----------------")
n := minusValue(10,20)
n(100)