The function system() provided by the standard C library (libc) takes a string argument that is passed as command string to a shell command language interpreter such as sh (or bash). The use of this function is generally considered dangerous because the shell is a complex application that uses many implicit transformation rules. In addition, its behavior is controlled by several environment variables. In order to make a safe call to system(), the input has to be rigorously sanitized and the environment has to be sane. Even then, problems in the program(s) invoked by the shell through system() can be abused to compromise the calling application (e.g., remember the parameter injection stuff that you heard in the lecture?).
After your last assignment, your new boss is not impressed yet. However, she thinks that you might have what it takes to be a good security engineer. Your next assignment takes you to Southeastern University. Apparently, they have been hacked, once again and have contacted your company for help. You logon to the Linux server and see a number of applications that look like they may have vulnerabilities. These programs are written in C, so you first use grep to search for known insecure library functions such as gets(), strcpy(), or system(). After a brief search, you find three simple programs that use the system() function. You immediately bring them to the attention of your boss. Unfortunately, after a brief check, she cannot find anything wrong with these programs. She claims that the calls to system() and dlopen() were performed in a safe manner, and she orders you to continue working and stop bothering her without having something real. However, you know that these programs all have flaws. Demonstrate the vulnerabilities by exploiting each program and show your boss what your CU systems security education has taught you ;-). But wait … there is something strange going on … why can’t you create all the files that you want? Darn quotas ….
Your first task is to exploit vulnerabilities in four programs that have their set-guid (i.e. set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[1-4]. The source for the programs can be obtained here (not necessarily listed in order):
An enabled set-guid bit means that whenever you execute one of these programs, your process gets the effective group-id of the group that owns the file. Consider a file called “myProg” with the following access permissions shown with ls -la.
-rwxr-sr-x 1 boss terrier 8192 Jan 1 2001 myProg
Whenever a user that belongs to the “other” group (i.e. not user boss and not belonging to group terrier) executes this file, the process is executed with an effective group-id of terrier and may access all resources according to the restrictions for group terrier.
You have exploited a vulnerability in one of our four challenge programs successfully when you call /bin/grade with the effective group-id of the group that owns the vulnerable program (for our challenge, these are groups bsp[2-5]). In the example above, “myProg” would be considered to be exploited successfully when you are able to call (or force “myProg” to call) /bin/grade with an effective guid of terrier. In that case, you receive a message stating that you have solved the assignment and get a code. This code has to be included in your submission to prove to us that your exploit was successful. Don’t try to fake, cheat or steal this code.
Your second task is to create a file named ididitohyeah in your home directory (i.e., ~terrierXXX) that is exactly 16MB (16777216 bytes) in size, consists of exactly 2 ^ 24 ‘A’ characters, and is owned by you (i.e., the owner of the file is your user-id). Sounds easy, right? 🙂 Well, we have enabled quotas and you probably will see that this task may not be as easy as it sounds (use the quota command to see what is going on). Of course, your quota limit would allow a file of the required size, but something seems to have already allocated some chunk of your available space. Once you manage to create this large file in your home directory, the listing should show something like this:
bandit:~> ls -l
-rw-r–r– 1 terrier999 terrier999 16777216 2009-10-16 22:53 ididitohyeah
lrwxrwxrwx 1 terrier999 terrierstd 4 2009-10-03 16:24 mail -> Mail
drwx—— 2 terrier999 terrierstd 4096 1998-03-10 19:28 Mail
Please create this file as specified above. Do not put it anywhere else because the grading slave will not find it (i.e., do not put it in directories or subdirectories in your home directory). Also, do not forget to delete this file once you have successfully solved the challenge (otherwise, you will keep getting quota messages and may not be able to create new files ;)).Hints for Solving the Challenge
We did obviously not hide some large file belonging to you in an unaccessible directory, and the challenge can be solved :).
To verify and convince yourself that you created the correct file, you can create the same file on a system w/o quota and calculate a cryptographic hash on that file e.g.,$ sha256sum ididitohyeah
This way you can compare the file that you created on bandit conveniently.