search

IITGN-CS431 / project-cns

1 stars 25 forks source link

Security Issue (Group 12): Vulnerable to MITM, Unsecured TCP Communication, Deterministic, CPA& KPA insecure Encryption #127

Closed cpatel321 closed 2 weeks ago

cpatel321 commented 2 weeks ago

When the data is sent from the ./logappend and ./logread to the server, it is first encrypted and then directly sent to the server through TCP without any security. This is prone to MITM. I have run the following command, 

./logappend -T 1 -K s1 -A -E 'Abcdefghijklmnoppp' log0123456

upon intecepting the packet, I have found the following hexdump

0000   00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
0010   01 78 f9 c8 40 00 40 06 41 b5 7f 00 00 01 7f 00
0020   00 01 d7 ca 1f 90 e1 19 c9 01 bb af 2a 9b 80 18
0030   02 00 ff 6c 00 00 01 01 08 0a a9 ea e8 68 a9 ea
0040   e8 68 31 36 32 30 36 65 31 31 30 37 39 65 31 38
0050   37 39 30 65 38 33 30 35 65 31 30 36 39 34 65 31
0060   30 36 39 34 65 31 32 38 38 37 65 31 32 31 33 30
0070   65 31 34 32 37 65 31 33 39 32 37 65 31 35 37 36
0080   31 65 38 36 33 33 65 31 33 39 32 37 65 31 31 39
0090   35 34 65 31 33 39 32 37 65 31 35 37 36 31 65 37
00a0   33 37 33 65 31 33 39 32 37 65 31 33 35 39 35 65
00b0   34 36 30 33 65 31 33 39 32 37 65 31 35 37 36 31
00c0   65 31 30 38 35 31 65 31 33 39 32 37 65 31 35 37
00d0   36 31 65 38 32 31 32 65 31 33 39 32 37 65 31 30
00e0   38 35 31 65 31 37 39 38 33 65 39 34 30 38 65 31
00f0   34 32 37 65 31 32 38 38 37 65 36 31 31 32 65 31
0100   38 37 39 30 65 31 33 32 34 35 65 38 33 32 34 65
0110   34 30 33 33 65 33 37 38 65 31 36 32 30 36 65 31
0120   33 38 34 31 65 31 32 31 33 30 65 31 31 30 37 39
0130   65 31 30 36 39 34 65 31 30 36 39 34 65 31 30 36
0140   39 34 65 31 30 39 38 31 65 31 33 39 32 37 65 31
0150   36 32 30 36 65 31 31 30 37 39 65 31 38 37 39 30
0160   65 31 36 33 38 37 65 34 36 30 33 65 31 31 39 35
0170   34 65 37 36 34 65 38 37 32 31 65 31 36 39 39 30
0180   65 36 37 33 36 65

this hexdump decodes to some unreadable binary followed by this string 16206e11079e18790e8305e10694e10694e12887e12130e1427e13927e15761e8633e13927e11954e13927e15761e7373e13927e13595e4603e13927e15761e10851e13927e15761e8212e13927e10851e17983e9408e1427e12887e6112e18790e13245e8324e4033e378e16206e13841e12130e11079e10694e10694e10694e10981e13927e16206e11079e18790e16387e4603e11954e764e8721e16990e6736e

Upon close inspection, one can easily look for patterns in it, for example, only e's from alphabets, and after 4th 'e' 10694e10694e which can be 'pp' from append (./logappend -T 1 -K s1 -A -E 'Abcdefghijklmnoppp' log0123456).

And all the above encryption can be easily figured out without even looking at the code.

This app has mainly the following security flaws:

  1. Deterministic Encryption: Predictable encryption patterns
  2. No security of packet over network: prone to MITM
  3. Absence of authenticity: Server doesn't validate if received data is from ./logappend. Adversary can easily logappend to the server without even using ./logappend executable. This video can serve as a helpful guide for replicating the test scenario. These issues may lead to additional vulnerabilities and compound security risks, which I also haven't tested yet.
bichhawat commented 2 weeks ago

Please fix this by tomorrow as discussed.

chakrie1489 commented 2 weeks ago

Fixed