prophet_'s blog

Foundation for fixing various CF tools broken by recent security update (Solution)
By prophet_, 4 years ago, In English

UPD: The RCPC token wall seems to have been removed. As of the time of this update, no additional security check is needed to access codeforces. Hence this script has been rendered obsolete by this change, and you will receive an error message if you attempt to run it.

As a result of a recent security update, many codeforces tools have been broken. In short, in order to access codeforces, a token is now required, which is decoded by the browser through a javascript implementation of AES. I have explained the specifics of this in my previous blog: https://codeforces.net/blog/entry/80070.

The token is different based on your IP address, and must be sent as a cookie with all requests to codeforces. Failing to do so will result in codeforces responding with a redirect page, containing the encrypted cipher token.

I have written an ad hoc script to decode this token using python.

https://github.com/great-prophet/adhoc_cf_rcpc_token_decoder

This script makes a request to codeforces to get the raw response with the AES cipher parameters, parses out the encrypted cipher, decodes it using an equivalent python AES implementation, and returns a hex formatted token. To use, simply run "source/cf_rcpc_token_decode.py" without input, with a python 3 interpreter.

Here is a screenshot of the expected behavior:

Expected Output

Note: You can ignore the "Cipher" output. It is the raw encrypted token, before decoding.

This token should be passed as a cookie with the key "RCPC" in all codeforces requests. For example, here is how you would do so with curl:

curl 'https://codeforces.com' -H 'Cookie: RCPC=606806bf70edce2cb8427ea1f7d71ece'

This script, by itself, will not automatically fix broken cf tools. You will need to have some technical knowledge in order to manually add the cookie as described above. This process is different for every tool. However I hope it can serve as a foundation for implementing a general fix.

Disclaimer: My current script is very very hacky and may be broken by future changes. However I will try my best to maintain it if an update does occur.

Full text and comments »

  • Vote: I like it
  • +57
  • Vote: I do not like it

Critical Bug in Codeforces: Broken AES encryption results in 403 Forbidden Error. (Solution)
By prophet_, history, 4 years ago, In English

After investigating an issue resulting in a 403 error when trying to access codeforces as described in this blog: https://codeforces.net/blog/entry/80065

I believe I have found the issue and the solution.

Codeforces uses a "slow aes" decryption function to require users to perform a non-trivial amount of computational work before they can access the site, presumably to protect against malicious users spamming the server. A parameter is given based on the user's IP address and the user must decrypt using this to generate a RCPC token in order to access the site.

Those experiencing the 403 error likely are victims of a bug that causes the last 2 characters (last byte in binary) to be deleted. You can confirm this by checking your RCPC token in your cookies. This token should be 32 characters, but is only 30 if you experience this bug.

The aes javascript implementation is from here: https://codeforces.net/aes.min.js

I believe the issue is with the function "unpadBytesOut". In the image below I am logging the "bytesOut" variable, which stores the final token, before and after this function.

                console.log("BEFORE" ,bytesOut.toString(), bytesOut.length);
                this.unpadBytesOut(bytesOut);
                console.log("AFTER" ,bytesOut.toString(), bytesOut.length);

Console Log

As you can see, in this particular case, the last byte has been deleted by this function. I have found that around 8% of randomly generated aes parameters (the one based on your ip) has this issue.

If you are having this issue, download the javascript and run it locally, after removing the line calling this function. I am also happy to generate the token for anyone who has difficulty doing it themselves. If you send me your response from codeforces.com without redirects and I can send you the corrected token. If you're on linux or max for example, you can send me the response to the command "curl codeforces.com". Note that this token won't compromise the security of your account as I believe it is purely to protect again a DDOS by verifying the IPs.

I hope MikeMirzayanov can get this fixed as soon as possible.

UPD: I believe the issue has now been resolved. The aes.min.js has been updated with an additional conditional in the previously broken unpadBytesOut function. Below is a diff of the new change:

Diff

UPD: I have written an ad hoc script that may serve as a potential foundation for fixing various cf tools broken by this. You can find more about this here: https://codeforces.net/blog/entry/80135

Full text and comments »

  • Vote: I like it
  • +232
  • Vote: I do not like it