search

prosticoco / CS412-GRASS

CS412 -- Software Security : GRASS -- Grep as a Service
0 stars 0 forks source link

Buffer overflow in function cmd_grep #1

Open AymericGenet opened 5 years ago

AymericGenet commented 5 years ago

Location

In cmd.cpp, line 464.

Description

The function strcpy() uses an unchecked user-controlled variable curr_co->curr_args[0]:

https://github.com/prosticoco/CS412-GRASS/blob/feb75ce181ee8db93c5b21e2f43a1c53dca7be09/src/cmd.cpp#L468-L472

Exploit

The following describes a control-flow hijacking that calls the hijack_flow() method. 1) Obtain an information leak of the hijack_flow() method (in the following, we suppose that the function lies at 0x56557ade). 2) Client-side, connect to the server with a user-controlled socket (e.g., with python) and send:

b"grep " + b"\xde\x7a\x55\x56"*(128//4) + b"\n"

3) The method should be accepted on the server-side.

Patch

This can be fixed by using the safer variant strncpy() with the size of the buffer in parameter.

Rudra92 commented 5 years ago

This is a correct bug with valid exploit.