Gorpkornyy Institut — alfactf

Description

Горпкорный институт

The service accepted a YAML certificate and verified it server-side before granting admission. The goal was to submit a certificate for passport 1337676769 that parsed as all 5s while still matching the one stored signature.

Analysis

The challenge combined a web submission endpoint with a weak homemade signature scheme.

The important source-level details were:

• Go unmarshaled attacker-controlled YAML with gopkg.in/yaml.v3 v3.0.1 into:

type Attestat struct {
    Passport string         `yaml:"паспорт"`
    Grades   map[string]int `yaml:"оценки"`
}

• The service knew a valid signature only for one fixed YAML blob, originalAttestat, under passport 1337676769.
• The request handler normalized \r\n to \n, unmarshaled the submitted bytes with yaml.Unmarshal, and then hashed the exact normalized byte string.
• The signature was not a real MAC. It was a plain polynomial hash over bytes with base 256 modulo

p = 2^56 - 5

The original signed document was:

# Подтвержденный аттестат
паспорт: "1337676769"
оценки:
  физика: 4
  химия: 3
  информатика: 5
  английский: 4
  русский: 5
  литература: 4
  физкультура: 5
  обществознание: 3
  алгебра: 4
  история: 5
  география: 4
  биология: 3
  геометрия: 4

If

H(b0..bn-1) = Σ bi * 256^(n-1-i) mod p,

then for concatenation we have

H(x || y) = H(x) * 256^|y| + H(y) mod p.

The YAML behavior provided the second half of the exploit. From parser tests against gopkg.in/yaml.v3 v3.0.1:

• duplicate keys were rejected, so overwrite tricks did not work;
• yaml.Unmarshal parsed only the first YAML document;
• bytes after an explicit document end marker ... were ignored by unmarshaling;
• unknown helper keys outside the target struct were ignored, but they were not needed for the final solve.

...