Cordial Minuet hacking bounty

jasonrohrer · 2014-10-01 10:49:09

I just posted this today:

http://cordialminuet.com/hackingChallenge.php

If anyone can win this, I imagine that a Castle Doctrine player can.

AMWhy · 2014-10-01 17:37:05

I sure hope the CD players CAN'T solve this, or my paranoia levels in-game will rise ten-fold!

voxel · 2014-10-02 04:21:26

An enlightened approach! But it looks like you haven't advertised this much yet.

Having looked at the TCD code I've seen that you've got experience with crypto. Here's hoping you won't need to pay out, but I think that it's more likely you'll have to pay out the bounty and then apparently there's no bounty for the second security flaw lurking in the code?

I assume the bounty can't be earned by applying zerodays against the server infrastructure. Maybe you should explicitly state that.

eppfel · 2014-10-02 04:38:03

voxel wrote:

I assume the bounty can't be earned by applying zerodays against the server infrastructure. Maybe you should explicitly state that.

I think 3000$ for revealing a zero day attack is quiet cheap, so Jason would be dumb to exclude it.

voxel · 2014-10-02 05:13:28

I mean after public release, and before the server is patched.

I take back what I said. Jason seems to have a heck of a lot of experience with crypto and networking. And there's almost no deadly C/C++ running on the server. Holy crap, he's even using a YubiKey!

EDIT: It's a pity there's no prize for finding bugs allowing cheating. That's a lot of attack surface that's excluded.

Last edited by voxel (2014-10-02 06:09:08)

voxel · 2014-11-03 03:54:37

Two weeks Jason fixed an SQL injection vulnerability. However the bounty page is still up, so I guess he got really lucky!

cullman · 2014-11-03 16:38:28

That bums me out cause I spent about 15 minutes looking for a SQL injection and I must have missed it. He is smart (clearly) enough to use single quotes everywhere, and strip things down to the minimum before interpolation. I am tempted to set up a fake a email address that has a domain with a unicode character and complain that I can't join his game with my unicoded email address. But frankly, I think he is wise to only allow ascii email address usernames just for simplicity and security sake.

voxel · 2014-11-04 00:56:40

Yeah, I looked as well and the reason I missed it was that I was lazy (and busy) and did a simple grep, but the relevant function call was broken over multiple lines! And it was in the code since August.

Last edited by voxel (2014-11-04 00:57:11)

The Castle Doctrine Forums

#1 2014-10-01 10:49:09

Cordial Minuet hacking bounty

#2 2014-10-01 17:37:05

Re: Cordial Minuet hacking bounty

#3 2014-10-02 04:21:26

Re: Cordial Minuet hacking bounty

#4 2014-10-02 04:38:03

Re: Cordial Minuet hacking bounty

#5 2014-10-02 05:13:28

Re: Cordial Minuet hacking bounty

#6 2014-11-03 03:54:37

Re: Cordial Minuet hacking bounty

#7 2014-11-03 16:38:28

Re: Cordial Minuet hacking bounty

#8 2014-11-04 00:56:40

Re: Cordial Minuet hacking bounty

Board footer