Skip to content

Latest commit

 

History

History

vacc_ex

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
client_lib.py
client_lib.py
 
 
exchange_pb2.py
exchange_pb2.py
 
 
exchange_pb2_grpc.py
exchange_pb2_grpc.py
 
 
nan_price.py
nan_price.py
 
 

README.md

STAY ~/ CTF 2022: VACCINATED EDITION

vacc_ex

Author: @jnovikov

Overview

The service is a kind of exchange/marketplace platform for new vaccines.

Users can register and create vaccine with private & public price.

Other users can also buy the vaccine using the private/public ID.

Vuln: NaN

  1. Users can create vaccine stocks with any price they want except the negative price.
  2. Users can buy the vaccine using the stored balance.
  3. The validation functions do not check the 'special' float values like 'inf' or 'nan'.
  4. If you create the vaccine with NaN price it will pass all the check since the any comparisons with "NaN" value return False.
  5. The 'NaN' price will be subtracted from the user balance and user balance will also become 'NaN'.
  6. You will be able to buy any product since (Nan < AnyValue) will return false and you will be able to buy any stock.

Exploit: nan_price.py

FIX:

Explicitly check the "NaN" value in the validatePrice function. (Also you may want to replace already existed 'NaN' balances in Redis).