HatedFate's blog

By HatedFate, history, 6 months ago, In English

Image Here

I decided to browse Codeforce submission for a question that I completed and I saw this. I doubt this guy will do much harm but I still find it quite funny.

  • Vote: I like it
  • +47
  • Vote: I do not like it

»
6 months ago, # |
  Vote: I like it +8 Vote: I do not like it

Auto comment: topic has been updated by HatedFate (previous revision, new revision, compare).

»
6 months ago, # |
  Vote: I like it +8 Vote: I do not like it

Auto comment: topic has been updated by HatedFate (previous revision, new revision, compare).

»
6 months ago, # |
  Vote: I like it +24 Vote: I do not like it

Lol. seems like someone is trying to practice "Command Injection" on codeforces xD

»
6 months ago, # |
  Vote: I like it 0 Vote: I do not like it

ctf... cf might get hacked like this

»
6 months ago, # |
Rev. 2   Vote: I like it +14 Vote: I do not like it

Possibly tell him that hacking sites without permission is illegal before he gets in trouble.

Edit: nvm this was all 3 months ago. It looks like he ended up sending messages from cf servers using python's socket library. I wonder why the admins haven't disabled such libraries.

  • »
    »
    6 months ago, # ^ |
    Rev. 7   Vote: I like it +88 Vote: I do not like it

    The way to address this is not to disable the libraries, the way to address this is to block network access (relevant syscalls or similar), preferably by using a proper sandbox.

    I didn't believe this would actually make a request but it does. I tried this: 265945617 and sure enough, it actually made a request, there is a log event of that on my server.

    EDIT: and it can receive too! 265946029 I think this might actually turn out to be a serious vulnerability.

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it 0 Vote: I do not like it

      Damn, did I uncover something crazy or is it known for a while now?

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it 0 Vote: I do not like it

      my man just printed 69 on his private server. man of culture indeed

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it +50 Vote: I do not like it

      So theoretically you could send over test data to a private server that could run embarrassingly parallel code on a cluster (let's say, running $$$O(n!)$$$ when the intended is $$$O(\textsf{poly}(n) 2^n)$$$) and print the result to CF stdout?

      • »
        »
        »
        »
        6 months ago, # ^ |
          Vote: I like it +14 Vote: I do not like it

        Seems like an even more cursed way of solving Watermelon!

      • »
        »
        »
        »
        6 months ago, # ^ |
          Vote: I like it -21 Vote: I do not like it

        theoretically speaking, you can basically write a script to do so, for a non-interactive problem at least, so basically someone can get the full systests, if he just tries so many directories to finally find the systest folder...