Vulnerability in c functions

**zaccameron** · 09-20-2020

I am quite new to C programming, having only really been introduced to it in the context of software vulnerabilities. I am taking part in a CTF challenge, and have the following C program running on linux. There are numerous inboxes, but I am only allowed to use user Alice, who is not privileged, to find the flag, which is found in someone elses inbox. I am thinking there is an issue with how the program reads and writes to files, but I cant quite find it. I am hoping someone on here might be able to find the vulnerability in the C code? The entire program can be found at c program - Pastebin.com

**Exosomes** · 09-20-2020

This is pretty cool. I didn't know an email server could be so simple. I guess I hadn't thought about it

1. I'm no programmer, but right out of the gate I don't like that the salt is static (non-random) and the same for every user.
2. It is possible that strtok can overrun the "line" buffer if the password file contains more than 512 characters. Is it guaranteed that this the only application writing to this file? if so, this won't occur because the passwords/usernames are limited to 20 characters and are terminated by a newline.

If there's a vulnerability here, it has to be a buffer overflow. There's not much else going on. I'd say step through the cope from start to finish, analyzing each case carefully. Also reading the man pages for the functions used for will give you valuable insight.

**john.c** · 09-20-2020

There doesn't seem to be any possible buffer overruns since all inputs use fgets calls and they are all properly limited. The strcats don't seem to be able to overflow either.

Something strange is that the username is not validated, so it could contain a colon (':'), which would be problematic. I'm not sure how to leverage that, though (since the username is limited to 19 chars).

What is the result of ls -l /ctf/message
What is the result of cat /ctf/message/passwd
What is the result of ls -l on the executable of this program?

**zaccameron** · 09-20-2020

John here is the output, I am only user alice, with no sudo.
The flag is either in admin, bruce, dave, eve, bob, the rest are accounts that I have made to try and get past it

**john.c** · 09-21-2020

Thanks for the info. I took another look but still can't find the vulnerability. I'll probably take another look at it later today. Definitely let us know when you figure it out or are told. I wonder what it could be?

**Exosomes** · 09-21-2020

From reading your posts, I get the impression that the ultimate goal is to gain access to this "flag" hidden in one of those accounts. If that's the case perhaps there is no vulnerability -in a traditional manner- in the code itself. But there are certainly weaknesses, weaknesses you can exploit to gain access to the accounts.

1. You already have the salt.
2. The encryption is DES which is very, very broken.
3. Password length is at most 19 bytes. This isn't exactly a weakness as this is a decent length, but is useful information you can use.

Knowing all of this you can mount a successful attack. Search the web for breaking DES encryption and you'll get plenty of leads. If this is the way to go, I'm sure the creators of this exercise used a short password, possibly even shared between accounts.

By the way, where did you get this, was it at school or some hacking website? it'd be interesting to take a look.

PS: (Read the man for crypt to see how the key is obtained)

**john.c** · 09-21-2020

@Exosomes, in glibc, if the "salt" starts with "$6$" then SHA-512 is used (and the salt is the letters from the second $ to the next $).

Thread: Vulnerability in c functions

Thread Tools

Search Thread

Display

Vulnerability in c functions

Similar Threads

More than 1 potential vulnerability per 4000 lines of code in Android

Format String Vulnerability

Comodo Firewall Vulnerability (Port 0)

M$ JPG Vulnerability

What is 'buffer overrun vulnerability' in IIS?

Tags for this Thread