void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_listen_socket_82_goodG2B::action(char * password)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
static void goodG2B()
{
char * password;
char passwordBuffer[100] = "";
password = passwordBuffer;
goodG2BSource(password);
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* POTENTIAL FLAW: Attempt to login user with password from the source (which may be hardcoded) */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
/* good1() reverses the blocks on the goto statement */
static void good1()
{
goto sink;
sink:
{
size_t passwordLen = 0;
HANDLE hUser;
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
USERNAME,
domain,
PASSWORD,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
/* FIX: do not expose username or password in comment */
/* User logged in successfully */
printLine("User logged in successfully with password" );
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
}
}
CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_83_bad::~CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_83_bad()
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* POTENTIAL FLAW: Sensitive data possibly improperly locked */
free(password);
}
}
/* goodG2B uses the GoodSource with the BadSink */
void goodG2BSink(map<int, char *> dataMap)
{
char * data = dataMap[2];
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* POTENTIAL FLAW: Attempt to login user with password from the source */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
/* goodG2B uses the GoodSource with the BadSink */
void goodG2BSink(map<int, char *> passwordMap)
{
char * password = passwordMap[2];
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
int pacifica_switch_process_user(char *user, char *pw, char *program)
{
DWORD len;
HANDLE token;
PROCESS_INFORMATION pi;
STARTUPINFOA si;
memset(&si, 0, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = "";
//FIXME Still need to pull this out of storage somehow...
int res = LogonUserA(user, ".", pw, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &token);
if(res == 0)
{
return GetLastError();
}
res = CreateProcessAsUserA(token, NULL, program, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
if(res == 0)
{
return GetLastError();
}
res = WaitForSingleObject(pi.hProcess, INFINITE);
if(res == 0)
{
return GetLastError();
}
res = GetExitCodeProcess(pi.hProcess, &len);
if(res == 0)
{
return GetLastError();
}
return 0;
}
void CWE615_Info_Exposure_by_Comment__w32_18_bad()
{
goto sink;
sink:
{
size_t passwordLen = 0;
HANDLE hUser;
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
USERNAME,
domain,
PASSWORD,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
/* FLAW: expose username and password in comment*/
/* Logged in XXXXX Smith using password ABCD1234 */
printLine("User logged in successfully" );
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
}
}
/* good1() uses if(GLOBAL_CONST_FALSE) instead of if(GLOBAL_CONST_TRUE) */
static void good1()
{
if(GLOBAL_CONST_FALSE)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
{
char * password = (char *)malloc(100*sizeof(char));
if (password == NULL) {exit(-1);}
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
/* FIX: Zeroize the password buffer before reallocating it */
SecureZeroMemory(password, 100 * sizeof(char));
password = realloc(password, 200 * sizeof(char));
if (password == NULL) {exit(-1);}
/* Use the password buffer again */
strcpy(password, "Nothing to see here");
printLine(password);
free(password);
}
}
}
void CWE244_Heap_Inspection__w32_char_realloc_09_bad()
{
if(GLOBAL_CONST_TRUE)
{
{
char * password = (char *)malloc(100*sizeof(char));
if (password == NULL) {exit(-1);}
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
/* FLAW: reallocate password without clearing the password buffer
* which could leave a copy of the password in memory */
password = realloc(password, 200 * sizeof(char));
if (password == NULL) {exit(-1);}
/* Zeroize the password */
SecureZeroMemory(password, 200 * sizeof(char));
/* Use the password buffer again */
strcpy(password, "Nothing to see here");
printLine(password);
free(password);
}
}
}
/* good1() uses if(STATIC_CONST_FALSE) instead of if(STATIC_CONST_TRUE) */
static void good1()
{
if(STATIC_CONST_FALSE)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
{
char password[100] = "";
size_t passwordLen = 0;
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
FILE * pFile = fopen("debug.txt", "a+");
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* FIX: Do not write sensitive data to the log */
fprintf(pFile, "User attempted access\n");
if (pFile)
{
fclose(pFile);
}
}
}
}
/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */
static void good1()
{
if(globalReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
{
char * password = (char *)malloc(100*sizeof(char));
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
passwordLen = strlen(password);
/* FIX: Clear password prior to freeing */
SecureZeroMemory(password, passwordLen * sizeof(char));
free(password);
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
static void goodG2B1()
{
char * password;
/* Initialize Data */
password = "";
if(globalReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
password = (char *)malloc(100*sizeof(char));
if (password == NULL)
{
printLine("Memory could not be allocated");
exit(1);
}
/* FIX: Use VirtualLock() to lock the buffer into memory */
if(!VirtualLock(password, 100*sizeof(char)))
{
printLine("Memory could not be locked");
exit(1);
}
/* INCIDENTAL FLAW: CWE-259 Hardcoded Password */
strcpy(password, "Password1234!");
}
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* POTENTIAL FLAW: Sensitive data possibly improperly locked */
free(password);
}
}
void CWE256_Plaintext_Storage_of_Password__w32_char_04_bad()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
if(STATIC_CONST_TRUE)
{
{
FILE *pFile;
pFile = fopen("passwords.txt", "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read the password from a file */
if (fgets(data, 100, pFile) == NULL)
{
data[0] = '\0';
}
fclose(pFile);
}
else
{
data[0] = '\0';
}
}
}
if(STATIC_CONST_TRUE)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* POTENTIAL FLAW: Attempt to login user with password from the source */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
}
void CWE535_Info_Exposure_Shell_Error__w32_char_15_bad()
{
switch(6)
{
case 6:
{
char password[100] = "";
size_t passwordLen = 0;
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* FLAW: Write sensitive data to stderr */
fprintf(stderr, "User attempted access with password: %s\n", password);
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
}
/* good2() reverses the bodies in the if statement */
static void good2()
{
if(GLOBAL_CONST_FIVE==5)
{
{
char * password = (char *)malloc(100*sizeof(char));
if (password == NULL) {exit(-1);}
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
passwordLen = strlen(password);
/* FIX: Clear password prior to freeing */
SecureZeroMemory(password, passwordLen * sizeof(char));
free(password);
}
}
}
void CWE534_Info_Exposure_Debug_Log__w32_char_04_bad()
{
if(STATIC_CONST_TRUE)
{
{
char password[100] = "";
size_t passwordLen = 0;
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
FILE * pFile = fopen("debug.txt", "a+");
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* FLAW: Write sensitive data to the log */
fprintf(pFile, "User attempted access with password: %s\n", password);
if (pFile)
{
fclose(pFile);
}
}
}
}
void CWE244_Heap_Inspection__w32_char_free_16_bad()
{
while(1)
{
{
char * password = (char *)malloc(100*sizeof(char));
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
/* FLAW: free() password without clearing the password buffer */
free(password);
}
break;
}
}
void CWE226_Sensitive_Information_Uncleared_Before_Release__w32_char_alloca_04_bad()
{
if(STATIC_CONST_TRUE)
{
{
char * password = (char *)ALLOCA(100*sizeof(char));
size_t passwordLen = 0;
HANDLE hUser;
char * username = "******";
char * domain = "Domain";
/* Initialize password */
password[0] = '\0';
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser) != 0)
{
printLine("User logged in successfully.");
CloseHandle(hUser);
}
else
{
printLine("Unable to login.");
}
/* FLAW: Release password from the stack without first clearing the buffer */
}
}
}
/* good2() reverses the bodies in the if statement */
static void good2()
{
if(globalFive==5)
{
{
char password[100] = "";
size_t passwordLen = 0;
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* FIX: Do not write sensitive data to stderr */
fprintf(stderr, "User attempted access\n");
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the first staticTrue to staticFalse */
static void goodG2B1()
{
char * password;
char passwordBuffer[100] = "";
password = passwordBuffer;
if(staticFalse)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Use a hardcoded password (it was not sent over the network)
* INCIDENTAL FLAW: CWE-259 Hard Coded Password */
strcpy(password, "Password1234!");
}
if(staticTrue)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
}
void CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_11_bad()
{
char * password;
/* Initialize Data */
password = "";
if(globalReturnsTrue())
{
password = (char *)malloc(100*sizeof(char));
if (password == NULL)
{
printLine("Memory could not be allocated");
exit(1);
}
/* FLAW: Do not lock the memory */
/* INCIDENTAL FLAW: CWE-259 Hardcoded Password */
strcpy(password, "Password1234!");
}
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* POTENTIAL FLAW: Sensitive data possibly improperly locked */
free(password);
}
}
/* goodG2B() - use goodsource and badsink in the for statements */
static void goodG2B()
{
int h,j;
char * password;
char passwordBuffer[100] = "";
password = passwordBuffer;
for(h = 0; h < 1; h++)
{
/* FIX: Use a hardcoded password (it was not sent over the network)
* INCIDENTAL FLAW: CWE-259 Hard Coded Password */
strcpy(password, "Password1234!");
}
for(j = 0; j < 1; j++)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
}
/* goodG2B uses the GoodSource with the BadSink */
void CWE256_Plaintext_Storage_of_Password__w32_char_53d_goodG2BSink(char * data)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* POTENTIAL FLAW: Attempt to login user with password from the source */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_connect_socket_17_bad()
{
int i,j;
char * password;
char passwordBuffer[100] = "";
password = passwordBuffer;
for(i = 0; i < 1; i++)
{
{
WSADATA wsaData;
int wsaDataInit = 0;
int recvResult;
struct sockaddr_in service;
char *replace;
SOCKET connectSocket = INVALID_SOCKET;
size_t passwordLen = strlen(password);
do
{
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connectSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
service.sin_port = htons(TCP_PORT);
if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed, make sure to recv one
* less char than is in the recv_buf in order to append a terminator */
/* POTENTIAL FLAW: Reading sensitive data from the network */
recvResult = recv(connectSocket, (char*)(password + passwordLen), (100 - passwordLen - 1) * sizeof(char), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
password[passwordLen + recvResult / sizeof(char)] = '\0';
/* Eliminate CRLF */
replace = strchr(password, '\r');
if (replace)
{
*replace = '\0';
}
replace = strchr(password, '\n');
if (replace)
{
*replace = '\0';
}
}
while (0);
if (connectSocket != INVALID_SOCKET)
{
closesocket(connectSocket);
}
if (wsaDataInit)
{
WSACleanup();
}
}
}
for(j = 0; j < 1; j++)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
}
void CWE223_Omission_of_Security_Relevant_Information__w32_10_bad()
{
if(globalTrue)
{
{
WSADATA wsaData;
BOOL wsaDataInit = FALSE;
SOCKET listenSocket = INVALID_SOCKET;
SOCKET acceptSocket = INVALID_SOCKET;
struct sockaddr_in service;
char username[USERNAME_SZ+1];
HANDLE pHandle;
do
{
if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData))
{
break;
}
wsaDataInit = TRUE;
listenSocket = socket(PF_INET, SOCK_STREAM, 0);
if (listenSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = INADDR_ANY;
service.sin_port = htons(LISTEN_PORT);
if (SOCKET_ERROR == bind(listenSocket, (struct sockaddr*)&service, sizeof(service)))
{
break;
}
if (SOCKET_ERROR == listen(listenSocket, LISTEN_BACKLOG))
{
break;
}
acceptSocket = accept(listenSocket, NULL, NULL);
if (acceptSocket == INVALID_SOCKET)
{
break;
}
if (sizeof(username)-sizeof(char) != recv(acceptSocket, username, sizeof(username)-sizeof(char), 0))
{
break;
}
username[USERNAME_SZ] = '\0';
/* INCIDENTAL CWE 188 - reliance on data memory layout
* recv and friends return "number of bytes" received
* fwrite wants "the size of". ANSI/ISO allows the size of chars
* to be anything (32 bits, 9 bits, etc.) so technically you
* have to do conversion between these values
*/
/* FLAW: username is not logged */
fprintf(stderr, "Attempted login\n");
/* Establish the fact that the input is a username */
if (LogonUserA(
username,
DOMAIN,
PASSWORD, /* INCIDENTAL CWE 259 - Hard-coded Password */
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
while (0);
if (acceptSocket != INVALID_SOCKET)
{
closesocket(acceptSocket);
}
if (listenSocket != INVALID_SOCKET)
{
closesocket(listenSocket);
}
if (wsaDataInit)
{
WSACleanup();
}
}
}
}
/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
static void goodB2G1()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
switch(6)
{
case 6:
{
FILE *pFile;
pFile = fopen("passwords.txt", "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read the password from a file */
if (fgets(data, 100, pFile) == NULL)
{
data[0] = '\0';
}
fclose(pFile);
}
else
{
data[0] = '\0';
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
switch(8)
{
case 7:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
default:
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
char hashData[100] = HASH_INPUT;
HCRYPTPROV hCryptProv = 0;
HCRYPTHASH hHash = 0;
HCRYPTKEY hKey = 0;
do
{
BYTE payload[(100 - 1) * sizeof(char)]; /* same size as data except for NUL terminator */
DWORD payloadBytes;
/* Hex-decode the input string into raw bytes */
payloadBytes = decodeHexChars(payload, sizeof(payload), data);
/* Wipe the hex string, to prevent it from being given to LogonUserA if
* any of the crypto calls fail. */
SecureZeroMemory(data, 100 * sizeof(char));
/* Aquire a Context */
if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0))
{
break;
}
/* Create hash handle */
if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash))
{
break;
}
/* Hash the input string */
if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0))
{
break;
}
/* Derive an AES key from the hash */
if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey))
{
break;
}
if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes))
{
break;
}
/* Copy back into data and NUL-terminate */
memcpy(data, payload, payloadBytes);
data[payloadBytes / sizeof(char)] = '\0';
}
while (0);
if (hKey)
{
CryptDestroyKey(hKey);
}
if (hHash)
{
CryptDestroyHash(hHash);
}
if (hCryptProv)
{
CryptReleaseContext(hCryptProv, 0);
}
/* FIX: Decrypt the password before using it for authentication */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
break;
}
}
void CWE256_Plaintext_Storage_of_Password__w32_char_15_bad()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
switch(6)
{
case 6:
{
FILE *pFile;
pFile = fopen("passwords.txt", "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read the password from a file */
if (fgets(data, 100, pFile) == NULL)
{
data[0] = '\0';
}
fclose(pFile);
}
else
{
data[0] = '\0';
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
switch(7)
{
case 7:
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* POTENTIAL FLAW: Attempt to login user with password from the source */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
}
/* goodB2G uses the BadSource with the GoodSink */
void CWE256_Plaintext_Storage_of_Password__w32_char_53d_goodB2GSink(char * data)
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
char hashData[100] = HASH_INPUT;
HCRYPTPROV hCryptProv = 0;
HCRYPTHASH hHash = 0;
HCRYPTKEY hKey = 0;
do
{
BYTE payload[(100 - 1) * sizeof(char)]; /* same size as data except for NUL terminator */
DWORD payloadBytes;
/* Hex-decode the input string into raw bytes */
payloadBytes = decodeHexChars(payload, sizeof(payload), data);
/* Wipe the hex string, to prevent it from being given to LogonUserA if
* any of the crypto calls fail. */
SecureZeroMemory(data, 100 * sizeof(char));
/* Aquire a Context */
if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0))
{
break;
}
/* Create hash handle */
if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash))
{
break;
}
/* Hash the input string */
if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0))
{
break;
}
/* Derive an AES key from the hash */
if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey))
{
break;
}
if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes))
{
break;
}
/* Copy back into data and NUL-terminate */
memcpy(data, payload, payloadBytes);
data[payloadBytes / sizeof(char)] = '\0';
}
while (0);
if (hKey)
{
CryptDestroyKey(hKey);
}
if (hHash)
{
CryptDestroyHash(hHash);
}
if (hCryptProv)
{
CryptReleaseContext(hCryptProv, 0);
}
/* FIX: Decrypt the password before using it for authentication */
if (LogonUserA(
username,
domain,
data,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_connect_socket_12_bad()
{
char * password;
char passwordBuffer[100] = "";
password = passwordBuffer;
if(globalReturnsTrueOrFalse())
{
{
WSADATA wsaData;
int wsaDataInit = 0;
int recvResult;
struct sockaddr_in service;
char *replace;
SOCKET connectSocket = INVALID_SOCKET;
size_t passwordLen = strlen(password);
do
{
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connectSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
service.sin_port = htons(TCP_PORT);
if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed, make sure to recv one
* less char than is in the recv_buf in order to append a terminator */
/* POTENTIAL FLAW: Reading sensitive data from the network */
recvResult = recv(connectSocket, (char*)(password + passwordLen), (100 - passwordLen - 1) * sizeof(char), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
password[passwordLen + recvResult / sizeof(char)] = '\0';
/* Eliminate CRLF */
replace = strchr(password, '\r');
if (replace)
{
*replace = '\0';
}
replace = strchr(password, '\n');
if (replace)
{
*replace = '\0';
}
}
while (0);
if (connectSocket != INVALID_SOCKET)
{
closesocket(connectSocket);
}
if (wsaDataInit)
{
WSACleanup();
}
}
}
else
{
/* FIX: Use a hardcoded password (it was not sent over the network)
* INCIDENTAL FLAW: CWE-259 Hard Coded Password */
strcpy(password, "Password1234!");
}
if(globalReturnsTrueOrFalse())
{
{
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
/* Use the password in LogonUser() to establish that it is "sensitive" */
/* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
else
{
{
HCRYPTPROV hCryptProv = 0;
HCRYPTHASH hHash = 0;
HCRYPTKEY hKey = 0;
char hashData[100] = HASH_INPUT;
HANDLE pHandle;
char * username = "******";
char * domain = "Domain";
do
{
BYTE payload[(100 - 1) * sizeof(char)]; /* same size as password except for NUL terminator */
DWORD payloadBytes;
/* Hex-decode the input string into raw bytes */
payloadBytes = decodeHexChars(payload, sizeof(payload), password);
/* Wipe the hex string, to prevent it from being given to LogonUserA if
* any of the crypto calls fail. */
SecureZeroMemory(password, 100 * sizeof(char));
/* Aquire a Context */
if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0))
{
break;
}
/* Create hash handle */
if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash))
{
break;
}
/* Hash the input string */
if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0))
{
break;
}
/* Derive an AES key from the hash */
if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey))
{
break;
}
/* FIX: Decrypt the password */
if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes))
{
break;
}
/* Copy back into password and NUL-terminate */
memcpy(password, payload, payloadBytes);
password[payloadBytes / sizeof(char)] = '\0';
}
while (0);
if (hKey)
{
CryptDestroyKey(hKey);
}
if (hHash)
{
CryptDestroyHash(hHash);
}
if (hCryptProv)
{
CryptReleaseContext(hCryptProv, 0);
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
}
}
}
