search

IITGN-CS431 / project-cns

1 stars 27 forks source link

[BUG] Validation of account name is vulnerable to BIT EXPLOITATION - Group 9 #265

Closed RuchitJagodara closed 1 week ago

RuchitJagodara commented 1 week ago

Here, as you can see from below procedure I used @@@@ as my account name and through bit exploitation attack I was able to create an account with this name.

Below is the process that I did, which might help you to recreate the issue.

ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-9/build$ gdb atm
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from atm...
(gdb) set args= -a @@@@ -c my_account.card -n 1000
Argument must be preceded by space.
(gdb) set args=-a @@@@ -c my_account.card -n 1000
Argument must be preceded by space.
(gdb) set args -a @@@@ -c my_account.card -n 1000
(gdb) break isValidAccountName
Breakpoint 1 at 0xb46e: file atm.cpp, line 386.
(gdb) run
Starting program: /home/ruchitjagodara/Education/CNS/project-cns/project-submissions/group-9/build/atm -a @@@@ -c my_account.card -n 1000

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
Downloading separate debug info for /lib/x86_64-linux-gnu/libjsoncpp.so.25
[Thread debugging using libthread_db enabled]                                                                                                                        
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, isValidAccountName (account="@@@@") at atm.cpp:386
warning: Source file is more recent than executable.
386     return std::regex_match(account, ACCOUNT_PATTERN);
(gdb) disassemble isValidAccountName
Dump of assembler code for function _Z18isValidAccountNameRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE:
   0x000055555555f45e <+0>: endbr64
   0x000055555555f462 <+4>: push   %rbp
   0x000055555555f463 <+5>: mov    %rsp,%rbp
   0x000055555555f466 <+8>: sub    $0x10,%rsp
   0x000055555555f46a <+12>:    mov    %rdi,-0x8(%rbp)
=> 0x000055555555f46e <+16>:    mov    -0x8(%rbp),%rax
   0x000055555555f472 <+20>:    mov    $0x0,%edx
   0x000055555555f477 <+25>:    lea    0x4a402(%rip),%rcx        # 0x5555555a9880 <_ZL15ACCOUNT_PATTERN>
   0x000055555555f47e <+32>:    mov    %rcx,%rsi
   0x000055555555f481 <+35>:    mov    %rax,%rdi
   0x000055555555f484 <+38>:    call   0x555555561cbe <_ZSt11regex_matchISt11char_traitsIcESaIcEcNSt7__cxx1112regex_traitsIcEEEbRKNS3_12basic_stringIT1_T_T0_EERKNS3_11basic_regexIS7_T2_EENSt15regex_constants15match_flag_typeE>
   0x000055555555f489 <+43>:    leave
   0x000055555555f48a <+44>:    ret
End of assembler dump.
(gdb) break *0x000055555555f48a
Breakpoint 2 at 0x55555555f48a: file atm.cpp, line 388.
(gdb) continue 
Continuing.

Breakpoint 2, 0x000055555555f48a in isValidAccountName (account="@@@@") at atm.cpp:388
388 }
(gdb) i r
rax            0x0                 0
rbx            0x7fffffffdb78      140737488345976
rcx            0x2                 2
rdx            0x0                 0
rsi            0x5555555ced00      93824992734464
rdi            0x7fffffffd2d0      140737488343760
rbp            0x7fffffffda50      0x7fffffffda50
rsp            0x7fffffffd378      0x7fffffffd378
r8             0x5555555aa010      93824992583696
r9             0x7                 7
r10            0x5555555ced10      93824992734480
r11            0xb57c523516f09768  -5369326267760863384
r12            0x0                 0
r13            0x0                 0
r14            0x5555555a8458      93824992576600
r15            0x7ffff7ffd000      140737354125312
rip            0x55555555f48a      0x55555555f48a <isValidAccountName(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+44>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x7ffff7da62c0      140737351672512
gs_base        0x0                 0
(gdb) set $rax=0x1
(gdb) i r
rax            0x1                 1
rbx            0x7fffffffdb78      140737488345976
rcx            0x2                 2
rdx            0x0                 0
rsi            0x5555555ced00      93824992734464
rdi            0x7fffffffd2d0      140737488343760
rbp            0x7fffffffda50      0x7fffffffda50
rsp            0x7fffffffd378      0x7fffffffd378
r8             0x5555555aa010      93824992583696
r9             0x7                 7
r10            0x5555555ced10      93824992734480
r11            0xb57c523516f09768  -5369326267760863384
r12            0x0                 0
r13            0x0                 0
r14            0x5555555a8458      93824992576600
r15            0x7ffff7ffd000      140737354125312
rip            0x55555555f48a      0x55555555f48a <isValidAccountName(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+44>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x7ffff7da62c0      140737351672512
gs_base        0x0                 0
(gdb) continue
Continuing.
Enter a 4 to 6 digit PIN: 3132
message: Account created successfully.
status: success
Card file created successfully: my_account.card
[Inferior 1 (process 14880) exited normally]
(gdb) continue 
The program is not being run.
(gdb)
RuchitJagodara commented 1 week ago

And below is the response from bank side 

ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-9/build$ ./bank -s bank.auth
created
Waiting for connections...
Account @@@@ created successfully with initial balance: 1000
Waiting for connections...
exit
^C
ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-9/build$
bichhawat commented 1 week ago

This is not a security bug but a functionality bug as these were feature requirements.

RuchitJagodara commented 1 week ago

@bichhawat Sir, they have a functionality which validates the account name in their code; however, I bypassed it using a bit exploitation attack. So shouldn't this be classified as a security bug?

bichhawat commented 1 week ago

Again, the functionality is broken here. If you can violate confidentiality or integrity of any of the other entries, that would be a security bug

ushasree-3 commented 1 week ago

PR: #278