CTF - Puget Sound
As is probably already abundantly clear, I am a fan and advocate for Rust. When given the opportunity to create a challenge for a CTF, I wanted to set out to not only build a challenging Rust CTF challenge, I wanted to defy expectations, teach something novel, and reshape a participant’s understanding of Rust even for long-time Rustaceans.

The Premise

You’re presented with a brainfk interpreter written in Rust and its source code. You can pass it a brainfk program and it will run exactly as it should. It will also ignore non-brainfk program characters as if they didn’t exist. There is a maximum program size, though, at around 80 characters.
 
User-uploaded image: image.png

Investigation

Taking a look at the source code, we can immediately note a couple of interesting things.
First of all, unsafe code is forbidden. This means it’s not going to be as easy as searching for unsafe code blocks and finding the vulnerability there.
 
User-uploaded image: 2bTeoIusHvYbs_D6EFPondZoWGWcg3UsQ2l5Es7BFR1D0H-AKJFaNrI4XhJuUqtjk7ApGPQq6ZxLpTPSbSWUhQ0SppTVDSBrTNl8o6MxQ-j4l7eZIO4VIy_UtCkdxBDUX8u8EeWvg2XizArps7SjhJTKQR7izr_FbCjoJmWVTJrdo2SRfYgu83HvmH3BuA

Secondly, programs have a maximum length of 80.
 
User-uploaded image: ll9OaNdGEfC9Ctznow66jZUMhTawN0L_Y7kfjXpkbUu4vstlnrjOGjjPEbrU_a5juNe2GsVePY7VXB-KL1lY_cp0Mn6TzAxEWN7yfAlRrDxAVdJI4B_A7m7vP9IEopI4yCatHRFHWrPN9z9nEs1DlyXm7Trhht4UGOfVI0Y8dCyj1ZuueaMWzVedsJAhdQ

And lastly, this program uses Jemalloc seemingly because it’s “faster” than glibc’s heap allocator. 
 
User-uploaded image: l_WMhE0UKljWEAJO_IQFVgngOGnWg_X78Tg_vBm_G93X1xpQED7S8b8XWv1XNjuMHT7EtFTr9rRr-sFLKgRKkn9D-gTcszXiyS6MwCfI-xSfz932z86Ct4nPHbTGGy_PcjTI-SMLQvK4_vf-eoIELrm6_B9ruGI7dXddrvmBEDLPpoiRBMInT6JRMYSkEw


The code works in the following way:
  1. Read in the program from stdin
  1. After filtering out newlines, make sure the number of characters in the program is less than the MAX_PROGRAM_LENGTH
  1. Create a brainfk program object from the program
  1. Call the interpreter macro to create an interpreter with the brainfk program
  1. Read the flag from the flag file and call set_flag on the interpreter
  1. Run the interpreter

Two things really stand out here: the interpreter macro and the flag.

Set Flag on Interpreter

Looking at the set flag call we immediately see it’s a dead end. It’s not even implemented!
 
User-uploaded image: ixJ10jHtod6_5llmhRsjYMVrLznrIhq-yud13_Bvs_RifuTcPTQCRud4vqHlkHQvaTbmUN5QiAOTB0GAdTRpLlXW0BPY_ZIdr2GjdA8cCdk5h5M0YsqrRCpEMusESZkSuEX5-q1FMVgyMPInv5Z8jwkQFgsr_rJvU5oyj3Hbg07U_6A6it1wzeXOaSVA8A

Interpreter Macro

It seems a little odd that a macro is needed to create the interpreter when we were able to clearly create and call a function to instantiate a BrainFkProgram just fine. Macros can often hide complexity so this seems like a good place to start.
 
User-uploaded image: lBSyvmxGcV8KKJs8Uwi6MuzTvGWhyE-3oQWH4-ZEujZo1Rc7HysEZmjw-Ci0uaRuNnhuOVDuaPLyTyBGZRdNJfq4DD2TtlEZh1BYAJwSHJaWSdGaIKVLoa8Msq3fN0tqKal_yIxx2M9RZcxN_zZqdgn2oiPVNtDoDOL7zVb_aW3ahRiwW-SnrLX5ktFuoA


So this macro expands out to a Vector allocation that is as-large as our program (via this instruction_count call). We then call a method to instantiate a BrainFkInterpreter with our program and the result of calling box_and_apply_lower_bound_to_memory. We’ll also notice that this method takes a mutable reference to our Vector.

Box And Apply Lower Bound To Memory

Looking at this method we see it get complicated fast. Thankfully there is a nice helpful comment to explain the intent.
 
User-uploaded image: LtFYLNC2PnPf91JKFdjnRwOTg4-AB35v62ayG97XN3M65AxqIMprLfa0z4rixL5dhrJX0aNI47E2r924eARwIG5vkXV5LJTCsSaRuYARlWYx9RPfQVeG3g9EjwnnquMXYPiVLSAWz8Pu4c2rN3jktwClGZ4-4IO5DrL9z7CRExvhVU2oEm_CLunu-4Q7aw


We understand that this code is there to ensure that if the program is very large, we allocate a large amount of memory for the BrainFkProgram to run the program in. If it’s too small, we apply a lower bound to the size. It’s confusing why it’s written in such a convoluted way which should make you suspicious, but let’s see if we can understand under what conditions does the behavior change.

Following the data flow, we see that if the memory we allocated back in the interpreter macro is less than or equal to the maximum program length then we’ll call this closure we passed in instead and use that memory. If our memory is larger in size than the max program length, then we’ll use the memory we passed in. 

 
User-uploaded image: aaC9UHIyz7J_mkQ-KUvpHRAsDDv31TXLqyW7xy_WT7yNlHoDNvt0ABZxWo605iJC5nT-XZo5OA1QOqxqRdjvXQdJnikoGmrAhp0LJnr9HzXddcphMYfTLFOK4WQbFlUO_9vYNsjZfIyAI_3G7EPUW7E32UW_c4wL_B4Q09egV1eB4wX1rJnwqmLO22knLg

What’s curious though is that the memory we pass in is an immutable reference (&Vec<u8>) which you can think of as similar to a read-only pointer to some memory. Rust is memory safe so if we allocate some memory and hold a reference to it, that memory should not be deallocated. 

Let’s look back at the interpreter macro a little more closely.

Interpreter Macro, Again

I like to use the cargo expand command to look at how macros expand into Rust. It helps make it clearer what the end-product Rust looks like if it’s hard to reason about. You don’t necessarily need this, but it helps.
 
User-uploaded image: RNITYS6HE0fOnHmcDuIW7uS-5x7R2vpCPWzWumTXhbmtRvzBB6EoKDanoXf62fuhIePqEfu5OrSZt1Af-cZU70pw1G4bY9eZT6BK3ggZZ5ki-qJOQk6vJzUpJgCqN9Wrmfo88mvSS6eZqKwHJzI9FRNStk5mr7nKiuKKaE6tSPm6PMtTwm0ct_wpdCrKnQ


Something stands out here now that we have additional context on how box_and_apply_lower_bound_to_memory works. If we were able to create a Vec<u8> that was larger than MAX_PROGRAM_SIZE, then box_and_apply_lower_bound_to_memory would return it as a reference (think: pointer). However, in Rust, memory that is not returned at the end of a block is “dropped” (and deallocated).

We’re running into an impossibility in the Rust language.