what is vulnerable in this password checking C code?
int main(int param_1,char *param_2)
{
__uid_t _Var1;
uint uVar2;
uint uVar3;
uint uVar4;
__pid_t __pid;
__pid_t __pid_00;
if (param_1 != 2) {
FUN_00100f72(*(undefined8 *)param_2);
}
_Var1 = geteuid();
if (_Var1 != 0) {
fwrite("this program must run as root\n",1,0x1e,stderr);
/* WARNING: Subroutine does not return */
exit(1);
}
uVar2 = atoi(*(char **)(param_2 + 8));
if (((int)uVar2 < 1) || (0x10 < (int)uVar2)) {
fwrite("error: number of workers must be between 1 and 16\n",1,0x32,stderr);
/* WARNING: Subroutine does not return */
exit(1);
}
uVar3 = FUN_00100fab("/pwv-hashes");
uVar4 = FUN_00100fab("/pwv-results");
signal(0xf,FUN_00100f25);
signal(2,FUN_00100f25);
__pid = fork();
if (__pid == 0) {
FUN_00101824((ulong)uVar3);
/* WARNING: Subroutine does not return */
exit(0);
}
__pid_00 = fork();
if (__pid_00 == 0) {
FUN_0010172a((ulong)uVar2,(ulong)uVar3,(ulong)uVar4,(ulong)uVar3);
/* WARNING: Subroutine does not return */
exit(0);
}
waitpid(__pid,(int *)0x0,0);
waitpid(__pid_00,(int *)0x0,0);
FUN_00100f0a("/pwv-hashes");
FUN_00100f0a("/pwv-results");
fwrite("Exiting.\n",1,9,stderr);
return 0;
}
this is password checking app for linux shadow file is there any vulnerability? ghidra also shows char *param_2 instead of char *param_2[] is there any difference? application makes some very simple checks (whether a user has a password which is the same as his/her username, whether the password is the username plus '1234' or '!@#$' patterns and finally, whether the password is a 4-digit number).
Down you will see some functions what they have inside them
ulong FUN_00100fab(char *param_1)
{
uint uVar1;
long in_FS_OFFSET;
undefined local_58 [8];
undefined8 local_50;
undefined8 local_48;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_50 = 4;
local_48 = 0x421;
uVar1 = mq_open(param_1,0xc2,0x1b6,local_58);
if (uVar1 == 0xffffffff) {
fwrite("error: could not create message queue!\n",1,0x27,stderr);
/* WARNING: Subroutine does not return */
exit(1);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return (ulong)uVar1;
}
void FUN_00101824(mqd_t param_1)
{
char *pcVar1;
char *local_18;
local_18 = (char *)FUN_00101044();
while (local_18 != (char *)0x0) {
mq_send(param_1,local_18,0x421,0);
pcVar1 = *(char **)(local_18 + 0x428);
free(local_18);
local_18 = pcVar1;
}
return;
}
void FUN_00100f25(void)
{
fwrite("caught signal, exiting!\n",1,0x18,stderr);
FUN_00100f0a("/pwv-hashes");
FUN_00100f0a("/pwv-results");
/* WARNING: Subroutine does not return */
exit(1);
}
void FUN_00100f0a(char *param_1)
{
mq_unlink(param_1);
return;
}
void FUN_00100f72(undefined8 param_1)
{
fprintf(stderr,
"usage: %s <num_workers>\nexample: \n%s 2 # starts two worker processes to analyzepasswords\n"
,param_1,param_1);
/* WARNING: Subroutine does not return */
exit(1);
}
void FUN_00101824(mqd_t param_1)
{
char *pcVar1;
char *local_18;
local_18 = (char *)FUN_00101044();
while (local_18 != (char *)0x0) {
mq_send(param_1,local_18,0x421,0);
pcVar1 = *(char **)(local_18 + 0x428);
free(local_18);
local_18 = pcVar1;
}
return;
}
char * FUN_00101044(void)
{
int iVar1;
int *piVar2;
char *__dest;
char **ppcVar3;
char *local_28;
char *local_20;
local_28 = (char *)0x0;
local_20 = (char *)0x0;
iVar1 = lckpwdf();
if (iVar1 != 0) {
piVar2 = __errno_location();
if (*piVar2 == 0xd) {
fwrite("error: could not obtain shadow file lock. Are you root?\n",1,0x38,stderr);
}
else {
fwrite("error: could not obtain shadow file lock for 15s. Exiting...\n",1,0x3d,stderr);
}
/* WARNING: Subroutine does not return */
exit(1);
}
setspent();
__dest = local_28;
do {
do {
local_28 = __dest;
ppcVar3 = (char **)getspent();
if (ppcVar3 == (char **)0x0) {
LAB_001011f6:
endspent();
ulckpwdf();
return local_20;
}
iVar1 = strcmp(ppcVar3[1],"*");
__dest = local_28;
} while (((iVar1 == 0) || (iVar1 = strcmp(ppcVar3[1],"!"), iVar1 == 0)) || (*ppcVar3[1] == '\0')
);
__dest = (char *)malloc(0x430);
if (__dest == (char *)0x0) {
fwrite(
"error: could not allocate memory for hash entry, shadow file will not be processed infull!\n"
,1,0x5c,stderr);
goto LAB_001011f6;
}
strncpy(__dest,*ppcVar3,0x21);
__dest[0x20] = '\0';
strncpy(__dest + 0x21,ppcVar3[1],0x400);
__dest[0x420] = '\0';
*(undefined8 *)(__dest + 0x428) = 0;
if (local_20 == (char *)0x0) {
local_20 = __dest;
}
if (local_28 != (char *)0x0) {
*(char **)(local_28 + 0x428) = __dest;
}
} while( true );
}
new functions
void FUN_0010172a(uint param_1,uint param_2,uint param_3)
{
__pid_t __pid;
__pid_t __pid_00;
long in_FS_OFFSET;
char local_438 [1064];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
__pid = fork();
if (__pid == 0) {
FUN_00101206((ulong)param_3);
/* WARNING: Subroutine does not return */
exit(0);
}
__pid_00 = fork();
if (__pid_00 == 0) {
FUN_0010169f((ulong)param_1,(ulong)param_2,(ulong)param_3,(ulong)param_2);
/* WARNING: Subroutine does not return */
exit(0);
}
waitpid(__pid_00,(int *)0x0,0);
local_438[0] = '\0';
mq_send(param_3,local_438,0x421,0);
waitpid(__pid,(int *)0x0,0);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}
void FUN_00101206(mqd_t param_1)
{
ssize_t sVar1;
long in_FS_OFFSET;
char local_438 [33];
undefined local_417 [1031];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
while( true ) {
sVar1 = mq_receive(param_1,local_438,0x421,(uint *)0x0);
if ((int)sVar1 == -1) {
fwrite("error: could not dequeue message!\n",1,0x22,stderr);
/* WARNING: Subroutine does not return */
exit(1);
}
if (local_438[0] == '\0') break;
fprintf(stdout,"weak credentials {%s:%s} found\n",local_438,local_417);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}
ulong FUN_0010169f(int param_1,uint param_2,uint param_3)
{
__pid_t _Var1;
ulong uVar2;
undefined4 extraout_var;
uint local_c;
fwrite("Trying username patterns and 4-digit patterns, please stand by.\n",1,0x40,stderr);
local_c = 0;
while( true ) {
uVar2 = (ulong)local_c;
if (param_1 <= (int)local_c) {
while (0 < (int)local_c) {
_Var1 = waitpid(-1,(int *)0x0,0);
uVar2 = CONCAT44(extraout_var,_Var1);
local_c = local_c - 1;
}
return uVar2;
}
_Var1 = fork();
if (_Var1 == 0) break;
local_c = local_c + 1;
}
FUN_00101563((ulong)param_2,(ulong)param_3,(ulong)param_3);
/* WARNING: Subroutine does not return */
exit(0);
}
void FUN_00101563(mqd_t param_1,mqd_t param_2)
{
int iVar1;
time_t tVar2;
ssize_t sVar3;
int *piVar4;
long in_FS_OFFSET;
timespec local_878;
char local_868 [1072];
char local_438 [1064];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
LAB_00101589:
tVar2 = time((time_t *)0x0);
local_878.tv_sec = tVar2 + 1;
local_878.tv_nsec = 0;
sVar3 = mq_timedreceive(param_1,local_868,0x421,(uint *)0x0,&local_878);
if ((int)sVar3 == -1) {
piVar4 = __errno_location();
if (*piVar4 != 0x6e) {
perror("worker: ");
fwrite("error: could not dequeue message!\n",1,0x22,stderr);
/* WARNING: Subroutine does not return */
exit(1);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}
iVar1 = FUN_00101388(local_868,local_438,local_438);
if (iVar1 == 0) goto code_r0x00101643;
goto LAB_00101664;
code_r0x00101643:
iVar1 = FUN_001014b8(local_868,local_438,local_438);
if (iVar1 != 0) {
LAB_00101664:
mq_send(param_2,local_438,0x421,0);
}
goto LAB_00101589;
}
0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0