Thread: Vulnerability in c functions

  1. #1
    Registered User
    Join Date
    Sep 2020
    Posts
    3

    Vulnerability in c functions

    I am quite new to C programming, having only really been introduced to it in the context of software vulnerabilities. I am taking part in a CTF challenge, and have the following C program running on linux. There are numerous inboxes, but I am only allowed to use user Alice, who is not privileged, to find the flag, which is found in someone elses inbox. I am thinking there is an issue with how the program reads and writes to files, but I cant quite find it. I am hoping someone on here might be able to find the vulnerability in the C code? The entire program can be found at c program - Pastebin.com
    Last edited by laserlight; 09-20-2020 at 04:00 AM.

  2. #2
    Registered User
    Join Date
    Sep 2020
    Posts
    15
    This is pretty cool. I didn't know an email server could be so simple. I guess I hadn't thought about it

    1. I'm no programmer, but right out of the gate I don't like that the salt is static (non-random) and the same for every user.
    2. It is possible that strtok can overrun the "line" buffer if the password file contains more than 512 characters. Is it guaranteed that this the only application writing to this file? if so, this won't occur because the passwords/usernames are limited to 20 characters and are terminated by a newline.

    If there's a vulnerability here, it has to be a buffer overflow. There's not much else going on. I'd say step through the cope from start to finish, analyzing each case carefully. Also reading the man pages for the functions used for will give you valuable insight.

  3. #3
    Registered User
    Join Date
    Dec 2017
    Posts
    1,127
    There doesn't seem to be any possible buffer overruns since all inputs use fgets calls and they are all properly limited. The strcats don't seem to be able to overflow either.


    Something strange is that the username is not validated, so it could contain a colon (':'), which would be problematic. I'm not sure how to leverage that, though (since the username is limited to 19 chars).


    What is the result of ls -l /ctf/message
    What is the result of cat /ctf/message/passwd
    What is the result of ls -l on the executable of this program?
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

  4. #4
    Registered User
    Join Date
    Sep 2020
    Posts
    3
    John here is the output, I am only user alice, with no sudo.
    The flag is either in admin, bruce, dave, eve, bob, the rest are accounts that I have made to try and get past it
    Last edited by Salem; 10-18-2020 at 02:23 AM. Reason: Delete picture, in case the images hashes are of real password.

  5. #5
    Registered User
    Join Date
    Dec 2017
    Posts
    1,127
    Thanks for the info. I took another look but still can't find the vulnerability. I'll probably take another look at it later today. Definitely let us know when you figure it out or are told. I wonder what it could be?
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

  6. #6
    Registered User
    Join Date
    Sep 2020
    Posts
    15
    From reading your posts, I get the impression that the ultimate goal is to gain access to this "flag" hidden in one of those accounts. If that's the case perhaps there is no vulnerability -in a traditional manner- in the code itself. But there are certainly weaknesses, weaknesses you can exploit to gain access to the accounts.

    1. You already have the salt.
    2. The encryption is DES which is very, very broken.
    3. Password length is at most 19 bytes. This isn't exactly a weakness as this is a decent length, but is useful information you can use.

    Knowing all of this you can mount a successful attack. Search the web for breaking DES encryption and you'll get plenty of leads. If this is the way to go, I'm sure the creators of this exercise used a short password, possibly even shared between accounts.

    By the way, where did you get this, was it at school or some hacking website? it'd be interesting to take a look.

    PS: (Read the man for crypt to see how the key is obtained)
    Last edited by Exosomes; 09-21-2020 at 11:56 AM. Reason: Mega derp. Don't know where I got sha256 from.

  7. #7
    Registered User
    Join Date
    Dec 2017
    Posts
    1,127
    @Exosomes, in glibc, if the "salt" starts with "$6$" then SHA-512 is used (and the salt is the letters from the second $ to the next $).
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 2
    Last Post: 08-08-2018, 03:20 AM
  2. Format String Vulnerability
    By wldrnryn in forum C Programming
    Replies: 1
    Last Post: 05-02-2012, 09:25 PM
  3. Comodo Firewall Vulnerability (Port 0)
    By Mario F. in forum Tech Board
    Replies: 0
    Last Post: 11-11-2009, 08:56 AM
  4. M$ JPG Vulnerability
    By Davros in forum A Brief History of Cprogramming.com
    Replies: 10
    Last Post: 09-27-2004, 01:40 AM
  5. What is 'buffer overrun vulnerability' in IIS?
    By Web admin in forum Windows Programming
    Replies: 1
    Last Post: 08-16-2001, 03:33 AM

Tags for this Thread