Closed RuchitJagodara closed 1 week ago
bichhawat
commented
1 week ago Can you check if you can login again using the empty username and the password you provided during registration and post the output, too? Changing the register values using GDB, while appreciated, does not constitute a bug as I can modify any values at any time. The same needs to work once you are out of that and trying to reaccess the system.
RuchitJagodara
commented
1 week ago Continuing. Enter password (min 8 chars, must include uppercase, lowercase, number, special char, no spaces): hellow_username worked bit exploitation successful Password too weak or contains spaces! Please try again. Enter password (min 8 chars, must include uppercase, lowercase, number, special char, no spaces): YeahItworked!@#303WOW Enter initial deposit amount (must be formatted as 0.00): 10.00 Server: Registration successful!
But sir, here as you can see I am getting a registration successful message right, which means I was able to register myself with that username on the server also, but according to the specs I should not be able to register using this name....
bichhawat
commented
1 week ago Ok, I am clubbing this with the password one, as they are the same functionality issues.
RuchitJagodara
commented
1 week ago @bichhawat below is my updated log as you can see after the attack I was able to deposit amount also with the invalid username
ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-1/build$ gdb atm
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from atm...
(gdb) break validate_username
Breakpoint 1 at 0x765d: file atm_final.cpp, line 90.
(gdb) run
Starting program: /home/ruchitjagodara/Education/CNS/project-cns/project-submissions/group-1/build/requirements/atm
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Server: VERIFIED
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 1
Breakpoint 1, validate_username (username="") at atm_final.cpp:90
90 {
(gdb) continue
Continuing.
Enter username (allowed: [_-., digits, lowercase letters], 1-122 chars): @@@@@UnvalidUsername
Breakpoint 1, validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:90
90 {
(gdb) disassemble validate_username
Dump of assembler code for function _Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE:
0x000055555555b64c <+0>: endbr64
0x000055555555b650 <+4>: push %rbp
0x000055555555b651 <+5>: mov %rsp,%rbp
0x000055555555b654 <+8>: push %rbx
0x000055555555b655 <+9>: sub $0x48,%rsp
0x000055555555b659 <+13>: mov %rdi,-0x48(%rbp)
=> 0x000055555555b65d <+17>: mov %fs:0x28,%rax
0x000055555555b666 <+26>: mov %rax,-0x18(%rbp)
0x000055555555b66a <+30>: xor %eax,%eax
0x000055555555b66c <+32>: mov -0x48(%rbp),%rax
0x000055555555b670 <+36>: mov %rax,%rdi
0x000055555555b673 <+39>: call 0x55555555acb0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv@plt>
0x000055555555b678 <+44>: test %rax,%rax
0x000055555555b67b <+47>: je 0x55555555b68f <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+67>
0x000055555555b67d <+49>: mov -0x48(%rbp),%rax
0x000055555555b681 <+53>: mov %rax,%rdi
0x000055555555b684 <+56>: call 0x55555555acb0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv@plt>
0x000055555555b689 <+61>: cmp $0x7a,%rax
0x000055555555b68d <+65>: jbe 0x55555555b696 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+74>
0x000055555555b68f <+67>: mov $0x1,%eax
0x000055555555b694 <+72>: jmp 0x55555555b69b <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+79>
0x000055555555b696 <+74>: mov $0x0,%eax
0x000055555555b69b <+79>: test %al,%al
0x000055555555b69d <+81>: je 0x55555555b6a6 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+90>
0x000055555555b69f <+83>: mov $0x0,%ebx
0x000055555555b6a4 <+88>: jmp 0x55555555b6f5 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+169>
0x000055555555b6a6 <+90>: lea -0x40(%rbp),%rax
0x000055555555b6aa <+94>: mov $0x10,%edx
0x000055555555b6af <+99>: lea 0x32a9c(%rip),%rcx # 0x55555558e152
0x000055555555b6b6 <+106>: mov %rcx,%rsi
0x000055555555b6b9 <+109>: mov %rax,%rdi
0x000055555555b6bc <+112>: call 0x55555555f666 <_ZNSt7__cxx1111basic_regexIcNS_12regex_traitsIcEEEC2EPKcNSt15regex_constants18syntax_option_typeE>
0x000055555555b6c1 <+117>: lea -0x40(%rbp),%rcx
0x000055555555b6c5 <+121>: mov -0x48(%rbp),%rax
0x000055555555b6c9 <+125>: mov $0x0,%edx
0x000055555555b6ce <+130>: mov %rcx,%rsi
0x000055555555b6d1 <+133>: mov %rax,%rdi
0x000055555555b6d4 <+136>: call 0x55555555f737 <_ZSt11regex_matchISt11char_traitsIcESaIcEcNSt7__cxx1112regex_traitsIcEEEbRKNS3_12basic_stringIT1_T_T0_EERKNS3_11basic_regexIS7_T2_EENSt15regex_constants15match_flag_typeE>
--Type <RET> for more, q to quit, c to continue without paging--
0x000055555555b6d9 <+141>: test %al,%al
0x000055555555b6db <+143>: je 0x55555555b6e4 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+152>
0x000055555555b6dd <+145>: mov $0x1,%ebx
0x000055555555b6e2 <+150>: jmp 0x55555555b6e9 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+157>
0x000055555555b6e4 <+152>: mov $0x0,%ebx
0x000055555555b6e9 <+157>: lea -0x40(%rbp),%rax
0x000055555555b6ed <+161>: mov %rax,%rdi
0x000055555555b6f0 <+164>: call 0x55555555f704 <_ZNSt7__cxx1111basic_regexIcNS_12regex_traitsIcEEED2Ev>
0x000055555555b6f5 <+169>: mov %ebx,%eax
0x000055555555b6f7 <+171>: mov -0x18(%rbp),%rdx
0x000055555555b6fb <+175>: sub %fs:0x28,%rdx
0x000055555555b704 <+184>: je 0x55555555b73f <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+243>
0x000055555555b706 <+186>: jmp 0x55555555b73a <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+238>
0x000055555555b708 <+188>: endbr64
0x000055555555b70c <+192>: mov %rax,%rbx
0x000055555555b70f <+195>: lea -0x40(%rbp),%rax
0x000055555555b713 <+199>: mov %rax,%rdi
0x000055555555b716 <+202>: call 0x55555555f704 <_ZNSt7__cxx1111basic_regexIcNS_12regex_traitsIcEEED2Ev>
0x000055555555b71b <+207>: mov %rbx,%rax
0x000055555555b71e <+210>: mov -0x18(%rbp),%rdx
0x000055555555b722 <+214>: sub %fs:0x28,%rdx
0x000055555555b72b <+223>: je 0x55555555b732 <_Z17validate_usernameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+230>
0x000055555555b72d <+225>: call 0x55555555aa50 <__stack_chk_fail@plt>
0x000055555555b732 <+230>: mov %rax,%rdi
0x000055555555b735 <+233>: call 0x55555555ad50 <_Unwind_Resume@plt>
0x000055555555b73a <+238>: call 0x55555555aa50 <__stack_chk_fail@plt>
0x000055555555b73f <+243>: mov -0x8(%rbp),%rbx
0x000055555555b743 <+247>: leave
0x000055555555b744 <+248>: ret
End of assembler dump.
(gdb) break *0x000055555555b744
Breakpoint 2 at 0x55555555b744: file atm_final.cpp, line 105.
(gdb) continue
Continuing.
Breakpoint 2, 0x000055555555b744 in validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:105
105 }
(gdb) set $rax=0x1
(gdb) continue
Continuing.
Enter password (min 8 chars, must include uppercase, lowercase, number, special char, no spaces): YeahItworked!@#303WOW
Enter initial deposit amount (must be formatted as 0.00): 10.00
Server: Registration successful!
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 2
Enter username (allowed: [_-., digits, lowercase letters], 1-122 chars): @@@@@UnvalidUsername
Breakpoint 1, validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:90
90 {
(gdb) continue
Continuing.
Breakpoint 2, 0x000055555555b744 in validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:105
105 }
(gdb) set $rax=0x1
(gdb) continue
Continuing.
Breakpoint 1, validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:90
90 {
(gdb) continue
Continuing.
Breakpoint 2, 0x000055555555b744 in validate_username (username="@@@@@UnvalidUsername") at atm_final.cpp:105
105 }
(gdb) set $rax=0x1
(gdb) continue
Continuing.
Enter password: YeahItworked!@#303WOW
Server: Login successful! SessionID: YUTZJIGSNGLQSDIH
Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: 2
Enter amount to deposit: 2
255- Invalid amount! Please enter a valid amount in the format: whole.fractional (e.g., 123.45) and within bounds (0.00, 4294967295.99].
Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: 2
Enter amount to deposit: 2.00
Server: Deposited $2.00. New balance: $12.00
Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: @bichhawat, can you please mark this as a security bug, as they have a functionality check for validation of username but I bypassed it right, so shouldn't this be a security bug ?
And same for #265
Pratham-Sharda
commented
1 week ago @bichhawat Sir again the changing of values of register generated by code and not during transmission or connection should be considered as changing of code (implicitly) and thus should we still consider it as a bug as given if i can change the register values generated by code i can run the program with any desired output i want .
bichhawat
commented
1 week ago @Pratham-Sharda This is still on the client side, if I understand correctly, which breaks the functionality requirements. There are checks that can defeat this kind of attack, which need to be enforced.
@RuchitJagodara The reason that this is not a security bug is that the functionality for checking usernames is not correctly enforced. This requires simple checks, which could have addressed the issue. Moreover, this does not allow a rogue user to modify the database without the right credentials. Similarly, if you could access/modify someone else's data, that would be a security bug
Here your valid_username function is vulnerable to bit exploitation attack and below is the procedure that I used to do the attack I think you can also recreate it using the same.
Here, as you can see I gave empty input in the username but still it worked and My registration was successful !
Here, as you can see I gave empty input in the username but still it worked and My registration was successful !