The following describes a control-flow hijacking that calls the hijack_flow() method.
1) Obtain an information leak of the hijack_flow() method (in the following, we suppose that the function lies at 0x56557ade).
2) Client-side, connect to the server with a user-controlled socket (e.g., with python) and send:
b"grep " + b"\xde\x7a\x55\x56"*(128//4) + b"\n"
3) The method should be accepted on the server-side.
Patch
This can be fixed by using the safer variant strncpy() with the size of the buffer in parameter.
Location
In cmd.cpp, line 464.
Description
The function
strcpy()
uses an unchecked user-controlled variablecurr_co->curr_args[0]
:https://github.com/prosticoco/CS412-GRASS/blob/feb75ce181ee8db93c5b21e2f43a1c53dca7be09/src/cmd.cpp#L468-L472
Exploit
The following describes a control-flow hijacking that calls the
hijack_flow()
method. 1) Obtain an information leak of the hijack_flow() method (in the following, we suppose that the function lies at 0x56557ade). 2) Client-side, connect to the server with a user-controlled socket (e.g., with python) and send:b"grep " + b"\xde\x7a\x55\x56"*(128//4) + b"\n"
3) The method should be accepted on the server-side.
Patch
This can be fixed by using the safer variant
strncpy()
with the size of the buffer in parameter.