IITGN-CS431 / project-cns

1 stars 27 forks source link

[Security BUG] Able to register with empty password - Group 1 #264

Closed RuchitJagodara closed 1 week ago

RuchitJagodara commented 1 week ago

Here, as you can see below I used nothing like empty password but still I was able to register with empty password which means your password validation is vulnerable to bit exploitation attack

Below as you can see I registered successfully as tryingtoregister username and empty password field and 10.00 as initial account balance and the process I followed can be recreated using following example.

Let me know, if you have any queries with recreating the same !

ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-1/build$ gdb atm
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from atm...
(gdb) break validate_password
Breakpoint 1 at 0x79f9: file atm_final.cpp, line 200.
(gdb) run
Starting program: /home/ruchitjagodara/Education/CNS/project-cns/project-submissions/group-1/build/requirements/atm 

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Server: VERIFIED
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 1
Enter username (allowed: [_-., digits, lowercase letters], 1-122 chars): tryingtoregister
Enter password (min 8 chars, must include uppercase, lowercase, number, special char, no spaces):      

Breakpoint 1, validate_password (password="") at atm_final.cpp:200
200 {
(gdb) disassemble validate_password
Dump of assembler code for function _Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE:
   0x000055555555b9e9 <+0>: endbr64
   0x000055555555b9ed <+4>: push   %rbp
   0x000055555555b9ee <+5>: mov    %rsp,%rbp
   0x000055555555b9f1 <+8>: sub    $0x40,%rsp
   0x000055555555b9f5 <+12>:    mov    %rdi,-0x38(%rbp)
=> 0x000055555555b9f9 <+16>:    mov    %fs:0x28,%rax
   0x000055555555ba02 <+25>:    mov    %rax,-0x8(%rbp)
   0x000055555555ba06 <+29>:    xor    %eax,%eax
   0x000055555555ba08 <+31>:    mov    -0x38(%rbp),%rax
   0x000055555555ba0c <+35>:    mov    %rax,%rdi
   0x000055555555ba0f <+38>:    call   0x55555555acb0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv@plt>
   0x000055555555ba14 <+43>:    cmp    $0x7,%rax
   0x000055555555ba18 <+47>:    setbe  %al
   0x000055555555ba1b <+50>:    test   %al,%al
   0x000055555555ba1d <+52>:    je     0x55555555ba29 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+64>
   0x000055555555ba1f <+54>:    mov    $0x0,%eax
   0x000055555555ba24 <+59>:    jmp    0x55555555bb12 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+297>
   0x000055555555ba29 <+64>:    movb   $0x0,-0x25(%rbp)
   0x000055555555ba2d <+68>:    movb   $0x0,-0x24(%rbp)
   0x000055555555ba31 <+72>:    movb   $0x0,-0x23(%rbp)
   0x000055555555ba35 <+76>:    movb   $0x0,-0x22(%rbp)
   0x000055555555ba39 <+80>:    mov    -0x38(%rbp),%rax
   0x000055555555ba3d <+84>:    mov    %rax,-0x10(%rbp)
   0x000055555555ba41 <+88>:    mov    -0x10(%rbp),%rax
   0x000055555555ba45 <+92>:    mov    %rax,%rdi
   0x000055555555ba48 <+95>:    call   0x55555555a9c0 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5beginEv@plt>
   0x000055555555ba4d <+100>:   mov    %rax,-0x20(%rbp)
   0x000055555555ba51 <+104>:   mov    -0x10(%rbp),%rax
   0x000055555555ba55 <+108>:   mov    %rax,%rdi
   0x000055555555ba58 <+111>:   call   0x55555555b000 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE3endEv@plt>
   0x000055555555ba5d <+116>:   mov    %rax,-0x18(%rbp)
   0x000055555555ba61 <+120>:   jmp    0x55555555bad2 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+233>
   0x000055555555ba63 <+122>:   lea    -0x20(%rbp),%rax
   0x000055555555ba67 <+126>:   mov    %rax,%rdi
   0x000055555555ba6a <+129>:   call   0x55555555f7ea <_ZNK9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEdeEv>
   0x000055555555ba6f <+134>:   movzbl (%rax),%eax
   0x000055555555ba72 <+137>:   mov    %al,-0x21(%rbp)
   0x000055555555ba75 <+140>:   movsbl -0x21(%rbp),%eax
   0x000055555555ba79 <+144>:   mov    %eax,%edi
--Type <RET> for more, q to quit, c to continue without paging--
   0x000055555555ba7b <+146>:   call   0x55555555aee0 <isupper@plt>
   0x000055555555ba80 <+151>:   test   %eax,%eax
   0x000055555555ba82 <+153>:   je     0x55555555ba88 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+159>
   0x000055555555ba84 <+155>:   movb   $0x1,-0x25(%rbp)
   0x000055555555ba88 <+159>:   movsbl -0x21(%rbp),%eax
   0x000055555555ba8c <+163>:   mov    %eax,%edi
   0x000055555555ba8e <+165>:   call   0x55555555adc0 <islower@plt>
   0x000055555555ba93 <+170>:   test   %eax,%eax
   0x000055555555ba95 <+172>:   je     0x55555555ba9b <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+178>
   0x000055555555ba97 <+174>:   movb   $0x1,-0x24(%rbp)
   0x000055555555ba9b <+178>:   movsbl -0x21(%rbp),%eax
   0x000055555555ba9f <+182>:   sub    $0x30,%eax
   0x000055555555baa2 <+185>:   cmp    $0x9,%eax
   0x000055555555baa5 <+188>:   setbe  %al
   0x000055555555baa8 <+191>:   movzbl %al,%eax
   0x000055555555baab <+194>:   test   %eax,%eax
   0x000055555555baad <+196>:   je     0x55555555bab3 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+202>
   0x000055555555baaf <+198>:   movb   $0x1,-0x23(%rbp)
   0x000055555555bab3 <+202>:   movsbl -0x21(%rbp),%eax
   0x000055555555bab7 <+206>:   mov    %eax,%edi
   0x000055555555bab9 <+208>:   call   0x55555555ab80 <isalnum@plt>
   0x000055555555babe <+213>:   test   %eax,%eax
   0x000055555555bac0 <+215>:   jne    0x55555555bac6 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+221>
   0x000055555555bac2 <+217>:   movb   $0x1,-0x22(%rbp)
   0x000055555555bac6 <+221>:   lea    -0x20(%rbp),%rax
   0x000055555555baca <+225>:   mov    %rax,%rdi
   0x000055555555bacd <+228>:   call   0x55555555f7c6 <_ZN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEppEv>
   0x000055555555bad2 <+233>:   lea    -0x18(%rbp),%rdx
   0x000055555555bad6 <+237>:   lea    -0x20(%rbp),%rax
   0x000055555555bada <+241>:   mov    %rdx,%rsi
   0x000055555555badd <+244>:   mov    %rax,%rdi
   0x000055555555bae0 <+247>:   call   0x55555555f787 <_ZN9__gnu_cxxneIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEEbRKNS_17__normal_iteratorIT_T0_EESE_>
   0x000055555555bae5 <+252>:   test   %al,%al
   0x000055555555bae7 <+254>:   jne    0x55555555ba63 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+122>
   0x000055555555baed <+260>:   cmpb   $0x0,-0x25(%rbp)
   0x000055555555baf1 <+264>:   je     0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
   0x000055555555baf3 <+266>:   cmpb   $0x0,-0x24(%rbp)
   0x000055555555baf7 <+270>:   je     0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
   0x000055555555baf9 <+272>:   cmpb   $0x0,-0x23(%rbp)
--Type <RET> for more, q to quit, c to continue without paging--
   0x000055555555bafd <+276>:   je     0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
   0x000055555555baff <+278>:   cmpb   $0x0,-0x22(%rbp)
   0x000055555555bb03 <+282>:   je     0x55555555bb0c <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+291>
   0x000055555555bb05 <+284>:   mov    $0x1,%eax
   0x000055555555bb0a <+289>:   jmp    0x55555555bb11 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+296>
   0x000055555555bb0c <+291>:   mov    $0x0,%eax
   0x000055555555bb11 <+296>:   nop
   0x000055555555bb12 <+297>:   mov    -0x8(%rbp),%rdx
   0x000055555555bb16 <+301>:   sub    %fs:0x28,%rdx
   0x000055555555bb1f <+310>:   je     0x55555555bb26 <_Z17validate_passwordRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+317>
   0x000055555555bb21 <+312>:   call   0x55555555aa50 <__stack_chk_fail@plt>
   0x000055555555bb26 <+317>:   leave
   0x000055555555bb27 <+318>:   ret
End of assembler dump.
(gdb) break *0x000055555555bb27
Breakpoint 2 at 0x55555555bb27: file atm_final.cpp, line 216.
(gdb) continue 
Continuing.

Breakpoint 2, 0x000055555555bb27 in validate_password (password="") at atm_final.cpp:216
216 }
(gdb) i r
rax            0x0                 0
rbx            0x20                32
rcx            0x7ffff711ba61      140737338522209
rdx            0x0                 0
rsi            0x20                32
rdi            0x7fffffffc0a0      140737488339104
rbp            0x7fffffffda80      0x7fffffffda80
rsp            0x7fffffffbf68      0x7fffffffbf68
r8             0x5555555a6010      93824992567312
r9             0x7                 7
r10            0x555555637890      93824993163408
r11            0x246               582
r12            0x1                 1
r13            0x0                 0
r14            0x5555555a45d8      93824992560600
r15            0x7ffff7ffd000      140737354125312
rip            0x55555555bb27      0x55555555bb27 <validate_password(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+318>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x7ffff7ddcb80      140737351895936
gs_base        0x0                 0
(gdb) set $rax=0x1
(gdb) continue 
Continuing.
Enter initial deposit amount (must be formatted as 0.00): 10.00
Server: Registration successful!
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 
bichhawat commented 1 week ago

Clubbed this with bug #262