void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_listen_socket_82_goodG2B::action(char * password) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
static void goodG2B() { char * password; char passwordBuffer[100] = ""; password = passwordBuffer; goodG2BSource(password); { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source (which may be hardcoded) */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
/* good1() reverses the blocks on the goto statement */ static void good1() { goto sink; sink: { size_t passwordLen = 0; HANDLE hUser; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( USERNAME, domain, PASSWORD, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { /* FIX: do not expose username or password in comment */ /* User logged in successfully */ printLine("User logged in successfully with password" ); CloseHandle(hUser); } else { printLine("Unable to login."); } } }
CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_83_bad::~CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_83_bad() { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* POTENTIAL FLAW: Sensitive data possibly improperly locked */ free(password); } }
/* goodG2B uses the GoodSource with the BadSink */ void goodG2BSink(map<int, char *> dataMap) { char * data = dataMap[2]; { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
/* goodG2B uses the GoodSource with the BadSink */ void goodG2BSink(map<int, char *> passwordMap) { char * password = passwordMap[2]; { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
int pacifica_switch_process_user(char *user, char *pw, char *program) { DWORD len; HANDLE token; PROCESS_INFORMATION pi; STARTUPINFOA si; memset(&si, 0, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); si.lpDesktop = ""; //FIXME Still need to pull this out of storage somehow... int res = LogonUserA(user, ".", pw, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &token); if(res == 0) { return GetLastError(); } res = CreateProcessAsUserA(token, NULL, program, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); if(res == 0) { return GetLastError(); } res = WaitForSingleObject(pi.hProcess, INFINITE); if(res == 0) { return GetLastError(); } res = GetExitCodeProcess(pi.hProcess, &len); if(res == 0) { return GetLastError(); } return 0; }
void CWE615_Info_Exposure_by_Comment__w32_18_bad() { goto sink; sink: { size_t passwordLen = 0; HANDLE hUser; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( USERNAME, domain, PASSWORD, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { /* FLAW: expose username and password in comment*/ /* Logged in XXXXX Smith using password ABCD1234 */ printLine("User logged in successfully" ); CloseHandle(hUser); } else { printLine("Unable to login."); } } }
/* good1() uses if(GLOBAL_CONST_FALSE) instead of if(GLOBAL_CONST_TRUE) */ static void good1() { if(GLOBAL_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { char * password = (char *)malloc(100*sizeof(char)); if (password == NULL) {exit(-1);} size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FIX: Zeroize the password buffer before reallocating it */ SecureZeroMemory(password, 100 * sizeof(char)); password = realloc(password, 200 * sizeof(char)); if (password == NULL) {exit(-1);} /* Use the password buffer again */ strcpy(password, "Nothing to see here"); printLine(password); free(password); } } }
void CWE244_Heap_Inspection__w32_char_realloc_09_bad() { if(GLOBAL_CONST_TRUE) { { char * password = (char *)malloc(100*sizeof(char)); if (password == NULL) {exit(-1);} size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FLAW: reallocate password without clearing the password buffer * which could leave a copy of the password in memory */ password = realloc(password, 200 * sizeof(char)); if (password == NULL) {exit(-1);} /* Zeroize the password */ SecureZeroMemory(password, 200 * sizeof(char)); /* Use the password buffer again */ strcpy(password, "Nothing to see here"); printLine(password); free(password); } } }
/* good1() uses if(STATIC_CONST_FALSE) instead of if(STATIC_CONST_TRUE) */ static void good1() { if(STATIC_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { char password[100] = ""; size_t passwordLen = 0; HANDLE pHandle; char * username = "******"; char * domain = "Domain"; FILE * pFile = fopen("debug.txt", "a+"); if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* FIX: Do not write sensitive data to the log */ fprintf(pFile, "User attempted access\n"); if (pFile) { fclose(pFile); } } } }
/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */ static void good1() { if(globalReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { char * password = (char *)malloc(100*sizeof(char)); size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } passwordLen = strlen(password); /* FIX: Clear password prior to freeing */ SecureZeroMemory(password, passwordLen * sizeof(char)); free(password); } } }
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */ static void goodG2B1() { char * password; /* Initialize Data */ password = ""; if(globalReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { password = (char *)malloc(100*sizeof(char)); if (password == NULL) { printLine("Memory could not be allocated"); exit(1); } /* FIX: Use VirtualLock() to lock the buffer into memory */ if(!VirtualLock(password, 100*sizeof(char))) { printLine("Memory could not be locked"); exit(1); } /* INCIDENTAL FLAW: CWE-259 Hardcoded Password */ strcpy(password, "Password1234!"); } { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* POTENTIAL FLAW: Sensitive data possibly improperly locked */ free(password); } }
void CWE256_Plaintext_Storage_of_Password__w32_char_04_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(STATIC_CONST_TRUE) { { FILE *pFile; pFile = fopen("passwords.txt", "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read the password from a file */ if (fgets(data, 100, pFile) == NULL) { data[0] = '\0'; } fclose(pFile); } else { data[0] = '\0'; } } } if(STATIC_CONST_TRUE) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } }
void CWE535_Info_Exposure_Shell_Error__w32_char_15_bad() { switch(6) { case 6: { char password[100] = ""; size_t passwordLen = 0; HANDLE pHandle; char * username = "******"; char * domain = "Domain"; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* FLAW: Write sensitive data to stderr */ fprintf(stderr, "User attempted access with password: %s\n", password); } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } }
/* good2() reverses the bodies in the if statement */ static void good2() { if(GLOBAL_CONST_FIVE==5) { { char * password = (char *)malloc(100*sizeof(char)); if (password == NULL) {exit(-1);} size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } passwordLen = strlen(password); /* FIX: Clear password prior to freeing */ SecureZeroMemory(password, passwordLen * sizeof(char)); free(password); } } }
void CWE534_Info_Exposure_Debug_Log__w32_char_04_bad() { if(STATIC_CONST_TRUE) { { char password[100] = ""; size_t passwordLen = 0; HANDLE pHandle; char * username = "******"; char * domain = "Domain"; FILE * pFile = fopen("debug.txt", "a+"); if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* FLAW: Write sensitive data to the log */ fprintf(pFile, "User attempted access with password: %s\n", password); if (pFile) { fclose(pFile); } } } }
void CWE244_Heap_Inspection__w32_char_free_16_bad() { while(1) { { char * password = (char *)malloc(100*sizeof(char)); size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FLAW: free() password without clearing the password buffer */ free(password); } break; } }
void CWE226_Sensitive_Information_Uncleared_Before_Release__w32_char_alloca_04_bad() { if(STATIC_CONST_TRUE) { { char * password = (char *)ALLOCA(100*sizeof(char)); size_t passwordLen = 0; HANDLE hUser; char * username = "******"; char * domain = "Domain"; /* Initialize password */ password[0] = '\0'; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FLAW: Release password from the stack without first clearing the buffer */ } } }
/* good2() reverses the bodies in the if statement */ static void good2() { if(globalFive==5) { { char password[100] = ""; size_t passwordLen = 0; HANDLE pHandle; char * username = "******"; char * domain = "Domain"; if (fgets(password, 100, stdin) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ password[0] = '\0'; } /* Remove the carriage return from the string that is inserted by fgets() */ passwordLen = strlen(password); if (passwordLen > 0) { password[passwordLen-1] = '\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* FIX: Do not write sensitive data to stderr */ fprintf(stderr, "User attempted access\n"); } } }
/* goodG2B1() - use goodsource and badsink by changing the first staticTrue to staticFalse */ static void goodG2B1() { char * password; char passwordBuffer[100] = ""; password = passwordBuffer; if(staticFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Use a hardcoded password (it was not sent over the network) * INCIDENTAL FLAW: CWE-259 Hard Coded Password */ strcpy(password, "Password1234!"); } if(staticTrue) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } }
void CWE591_Sensitive_Data_Storage_in_Improperly_Locked_Memory__w32_char_11_bad() { char * password; /* Initialize Data */ password = ""; if(globalReturnsTrue()) { password = (char *)malloc(100*sizeof(char)); if (password == NULL) { printLine("Memory could not be allocated"); exit(1); } /* FLAW: Do not lock the memory */ /* INCIDENTAL FLAW: CWE-259 Hardcoded Password */ strcpy(password, "Password1234!"); } { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* POTENTIAL FLAW: Sensitive data possibly improperly locked */ free(password); } }
/* goodG2B() - use goodsource and badsink in the for statements */ static void goodG2B() { int h,j; char * password; char passwordBuffer[100] = ""; password = passwordBuffer; for(h = 0; h < 1; h++) { /* FIX: Use a hardcoded password (it was not sent over the network) * INCIDENTAL FLAW: CWE-259 Hard Coded Password */ strcpy(password, "Password1234!"); } for(j = 0; j < 1; j++) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } }
/* goodG2B uses the GoodSource with the BadSink */ void CWE256_Plaintext_Storage_of_Password__w32_char_53d_goodG2BSink(char * data) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_connect_socket_17_bad() { int i,j; char * password; char passwordBuffer[100] = ""; password = passwordBuffer; for(i = 0; i < 1; i++) { { WSADATA wsaData; int wsaDataInit = 0; int recvResult; struct sockaddr_in service; char *replace; SOCKET connectSocket = INVALID_SOCKET; size_t passwordLen = strlen(password); do { if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connectSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr(IP_ADDRESS); service.sin_port = htons(TCP_PORT); if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* POTENTIAL FLAW: Reading sensitive data from the network */ recvResult = recv(connectSocket, (char*)(password + passwordLen), (100 - passwordLen - 1) * sizeof(char), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ password[passwordLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(password, '\r'); if (replace) { *replace = '\0'; } replace = strchr(password, '\n'); if (replace) { *replace = '\0'; } } while (0); if (connectSocket != INVALID_SOCKET) { closesocket(connectSocket); } if (wsaDataInit) { WSACleanup(); } } } for(j = 0; j < 1; j++) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } }
void CWE223_Omission_of_Security_Relevant_Information__w32_10_bad() { if(globalTrue) { { WSADATA wsaData; BOOL wsaDataInit = FALSE; SOCKET listenSocket = INVALID_SOCKET; SOCKET acceptSocket = INVALID_SOCKET; struct sockaddr_in service; char username[USERNAME_SZ+1]; HANDLE pHandle; do { if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) { break; } wsaDataInit = TRUE; listenSocket = socket(PF_INET, SOCK_STREAM, 0); if (listenSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = INADDR_ANY; service.sin_port = htons(LISTEN_PORT); if (SOCKET_ERROR == bind(listenSocket, (struct sockaddr*)&service, sizeof(service))) { break; } if (SOCKET_ERROR == listen(listenSocket, LISTEN_BACKLOG)) { break; } acceptSocket = accept(listenSocket, NULL, NULL); if (acceptSocket == INVALID_SOCKET) { break; } if (sizeof(username)-sizeof(char) != recv(acceptSocket, username, sizeof(username)-sizeof(char), 0)) { break; } username[USERNAME_SZ] = '\0'; /* INCIDENTAL CWE 188 - reliance on data memory layout * recv and friends return "number of bytes" received * fwrite wants "the size of". ANSI/ISO allows the size of chars * to be anything (32 bits, 9 bits, etc.) so technically you * have to do conversion between these values */ /* FLAW: username is not logged */ fprintf(stderr, "Attempted login\n"); /* Establish the fact that the input is a username */ if (LogonUserA( username, DOMAIN, PASSWORD, /* INCIDENTAL CWE 259 - Hard-coded Password */ LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } while (0); if (acceptSocket != INVALID_SOCKET) { closesocket(acceptSocket); } if (listenSocket != INVALID_SOCKET) { closesocket(listenSocket); } if (wsaDataInit) { WSACleanup(); } } } }
/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */ static void goodB2G1() { char * data; char dataBuffer[100] = ""; data = dataBuffer; switch(6) { case 6: { FILE *pFile; pFile = fopen("passwords.txt", "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read the password from a file */ if (fgets(data, 100, pFile) == NULL) { data[0] = '\0'; } fclose(pFile); } else { data[0] = '\0'; } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } switch(8) { case 7: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; default: { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; char hashData[100] = HASH_INPUT; HCRYPTPROV hCryptProv = 0; HCRYPTHASH hHash = 0; HCRYPTKEY hKey = 0; do { BYTE payload[(100 - 1) * sizeof(char)]; /* same size as data except for NUL terminator */ DWORD payloadBytes; /* Hex-decode the input string into raw bytes */ payloadBytes = decodeHexChars(payload, sizeof(payload), data); /* Wipe the hex string, to prevent it from being given to LogonUserA if * any of the crypto calls fail. */ SecureZeroMemory(data, 100 * sizeof(char)); /* Aquire a Context */ if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0)) { break; } /* Create hash handle */ if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash)) { break; } /* Hash the input string */ if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0)) { break; } /* Derive an AES key from the hash */ if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey)) { break; } if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes)) { break; } /* Copy back into data and NUL-terminate */ memcpy(data, payload, payloadBytes); data[payloadBytes / sizeof(char)] = '\0'; } while (0); if (hKey) { CryptDestroyKey(hKey); } if (hHash) { CryptDestroyHash(hHash); } if (hCryptProv) { CryptReleaseContext(hCryptProv, 0); } /* FIX: Decrypt the password before using it for authentication */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } break; } }
void CWE256_Plaintext_Storage_of_Password__w32_char_15_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; switch(6) { case 6: { FILE *pFile; pFile = fopen("passwords.txt", "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read the password from a file */ if (fgets(data, 100, pFile) == NULL) { data[0] = '\0'; } fclose(pFile); } else { data[0] = '\0'; } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } switch(7) { case 7: { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } }
/* goodB2G uses the BadSource with the GoodSink */ void CWE256_Plaintext_Storage_of_Password__w32_char_53d_goodB2GSink(char * data) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; char hashData[100] = HASH_INPUT; HCRYPTPROV hCryptProv = 0; HCRYPTHASH hHash = 0; HCRYPTKEY hKey = 0; do { BYTE payload[(100 - 1) * sizeof(char)]; /* same size as data except for NUL terminator */ DWORD payloadBytes; /* Hex-decode the input string into raw bytes */ payloadBytes = decodeHexChars(payload, sizeof(payload), data); /* Wipe the hex string, to prevent it from being given to LogonUserA if * any of the crypto calls fail. */ SecureZeroMemory(data, 100 * sizeof(char)); /* Aquire a Context */ if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0)) { break; } /* Create hash handle */ if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash)) { break; } /* Hash the input string */ if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0)) { break; } /* Derive an AES key from the hash */ if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey)) { break; } if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes)) { break; } /* Copy back into data and NUL-terminate */ memcpy(data, payload, payloadBytes); data[payloadBytes / sizeof(char)] = '\0'; } while (0); if (hKey) { CryptDestroyKey(hKey); } if (hHash) { CryptDestroyHash(hHash); } if (hCryptProv) { CryptReleaseContext(hCryptProv, 0); } /* FIX: Decrypt the password before using it for authentication */ if (LogonUserA( username, domain, data, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
void CWE319_Cleartext_Tx_Sensitive_Info__w32_char_connect_socket_12_bad() { char * password; char passwordBuffer[100] = ""; password = passwordBuffer; if(globalReturnsTrueOrFalse()) { { WSADATA wsaData; int wsaDataInit = 0; int recvResult; struct sockaddr_in service; char *replace; SOCKET connectSocket = INVALID_SOCKET; size_t passwordLen = strlen(password); do { if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connectSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr(IP_ADDRESS); service.sin_port = htons(TCP_PORT); if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* POTENTIAL FLAW: Reading sensitive data from the network */ recvResult = recv(connectSocket, (char*)(password + passwordLen), (100 - passwordLen - 1) * sizeof(char), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ password[passwordLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(password, '\r'); if (replace) { *replace = '\0'; } replace = strchr(password, '\n'); if (replace) { *replace = '\0'; } } while (0); if (connectSocket != INVALID_SOCKET) { closesocket(connectSocket); } if (wsaDataInit) { WSACleanup(); } } } else { /* FIX: Use a hardcoded password (it was not sent over the network) * INCIDENTAL FLAW: CWE-259 Hard Coded Password */ strcpy(password, "Password1234!"); } if(globalReturnsTrueOrFalse()) { { HANDLE pHandle; char * username = "******"; char * domain = "Domain"; /* Use the password in LogonUser() to establish that it is "sensitive" */ /* POTENTIAL FLAW: Using sensitive information that was possibly sent in plaintext over the network */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } else { { HCRYPTPROV hCryptProv = 0; HCRYPTHASH hHash = 0; HCRYPTKEY hKey = 0; char hashData[100] = HASH_INPUT; HANDLE pHandle; char * username = "******"; char * domain = "Domain"; do { BYTE payload[(100 - 1) * sizeof(char)]; /* same size as password except for NUL terminator */ DWORD payloadBytes; /* Hex-decode the input string into raw bytes */ payloadBytes = decodeHexChars(payload, sizeof(payload), password); /* Wipe the hex string, to prevent it from being given to LogonUserA if * any of the crypto calls fail. */ SecureZeroMemory(password, 100 * sizeof(char)); /* Aquire a Context */ if(!CryptAcquireContext(&hCryptProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0)) { break; } /* Create hash handle */ if(!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash)) { break; } /* Hash the input string */ if(!CryptHashData(hHash, (BYTE*)hashData, strlen(hashData), 0)) { break; } /* Derive an AES key from the hash */ if(!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey)) { break; } /* FIX: Decrypt the password */ if(!CryptDecrypt(hKey, 0, 1, 0, payload, &payloadBytes)) { break; } /* Copy back into password and NUL-terminate */ memcpy(password, payload, payloadBytes); password[payloadBytes / sizeof(char)] = '\0'; } while (0); if (hKey) { CryptDestroyKey(hKey); } if (hHash) { CryptDestroyHash(hHash); } if (hCryptProv) { CryptReleaseContext(hCryptProv, 0); } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserA( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } } }