search

xavierpantet / my_ass_on_your_grass

Software Security (CS-412) project at EPFL. Vulnerable GRep AS a Service.
0 stars 1 forks source link

Command injection / backdoor found in ping command #7

Closed yannvon closed 5 years ago

yannvon commented 5 years ago

Where

https://github.com/xavierpantet/my_ass_on_your_grass/blob/5ebeb6c98d689621444de3275847f134462da9b7/src/commands/Commands.cpp#L399-L412

What

Command injection At first sight the input arguments seem to be parsed correctly, and an arbitrary command injection does not seem possible. However, when looking at the cmd_ping() method on line 388 of the Commands.cpp file, one can see that on line 400 the hostname is compared to a hard-coded char array. After looking up ASCII tables one realizes that this string is actually "pong".

Indeed if the command received by the server was "ping pong", using a system call "system("/usr/bin/xcalc")" a calculator is opened.

Exploit

To open a calculator one can run a server and client and type the following input on the client:

ping pong
xavierpantet commented 5 years ago

Hello, thank you for your report. I'm closing this issue because it is a duplicate of #1.