CEN 5079 - Secure Application Programming

Challenge 2: General Unix Security

This project is due at 11:59 pm on February 14, 2021.

Introduction

The function system() provided by the standard C library (libc) takes a string argument that is passed as command string to a shell command language interpreter such as sh (or bash). The use of this function is generally considered dangerous because the shell is a complex application that uses many implicit transformation rules. In addition, its behavior is controlled by several environment variables. In order to make a safe call to system(), the input has to be rigorously sanitized and the environment has to be sane. Even then, problems in the program(s) invoked by the shell through system() can be abused to compromise the calling application (e.g., you remember old days Amin talking about parameter injection stuff?).

Storyline

After your last assignment, your new boss is not impressed yet. However, she thinks that you might have what it takes to be a good security engineer. Your next assignment takes you to Bostom University. Apparently, they have been hacked, once again and have contacted your company for help. You logon to the Linux server and see a number of applications that look like they may have vulnerabilities. These programs are written in C, so you first use grep to search for known insecure library functions such as gets(), strcpy(), or system(). After a brief search, you find three simple programs that use the system() function. You immediately bring them to the attention of your boss. Unfortunately, after a brief check, she cannot find anything wrong with these programs. She claims that the calls to system() and dlopen() were performed in a safe manner, and she orders you to continue working and stop bothering you without having something real. However, you know that these programs all have flaws. Demonstrate the vulnerabilities by exploiting each program and show your boss what your Florida International University secure programming education has taught you ;-).

Detailed Description

Your first task is to exploit vulnerabilities in three programs that have their set-guid (i.e. set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[1-3]. The source for the programs can be obtained here (not necessarily listed in order):

cat.c

#include  #include  #include  int main(int argc, char **argv) { gid_t egid = getegid(); setregid(egid, egid); system("cat /etc/passwd"); return 0; } 

less.c

// Copyright iSecLab -- www.iseclab.org #include  #include  #include  int main(int argc, char **argv) { FILE *file = fopen("/etc/passwd","r"); if (file==NULL) { printf("Oh no, first open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file2 = fopen("/etc/passwd","r"); if (file2==NULL) { fclose(file); printf("Oh no, second open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file3 = fopen("/etc/passwd","r"); if (file3==NULL) { fclose(file); fclose(file2); printf("Oh no, third open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file4 = fopen("/etc/passwd","r"); if (file4==NULL) { fclose(file); fclose(file2); fclose(file3); printf("Oh no, fourth open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } /* Imagine we are doing something very important and useful here... */ printf("I managed to successfully open the /etc/passwd file 4 times! I am the king yeahaaaa! "); printf("Never think you've seen the last of anything. Eudora Welty "); return 0; } 

signal.c

#include  #include  #include  #include  #include  char cmdbuf[128] = "echo interrupt signal caught, terminating "; char *progname; void handle_signal(int sig) { int len = sizeof(cmdbuf) - (strlen(cmdbuf) + 1); if (strlen(progname) > len) progname[len] = '\0'; strcat(cmdbuf, progname); system(cmdbuf); exit(1); } void usage() { printf("%s  where 0 < n <= 1000 ", progname); exit(1); } /* * The program takes one argument line parameter n (which has to be a * positive integer input parameter) and then prints out the first n * prime numbers. */ int main(int argc, char **argv) { struct sigaction sa; int cnt, N, found; unsigned long candidate, divisor; gid_t egid = getegid(); setregid(egid, egid); /* set up signal handling */ memset(&sa, sizeof(struct sigaction), 0); sa.sa_handler = handle_signal; sigaction(SIGALRM, &sa, NULL); /* process argument */ progname = argv[0]; if (argc != 2) usage(); N = strtol(argv[1], NULL, 10); if ((N <= 0) || (N > 1000)) usage(); /* calculate prime numbers -- simple sieve */ candidate = 1; for (cnt = 0; cnt < N; ++cnt) { for (;;) { found = 1; divisor = 2; candidate += 1; while (divisor <= candidate/2) { if ((candidate % divisor) == 0) { found = 0; break; } else ++divisor; } if (found) break; } printf("%ld ", candidate); } return 0; } 

An enabled set-guid bit means that whenever you execute one of these programs, your process gets the effective group-id of the group that owns the file. Consider a file called "myProg" with the following access permissions shown with ls -la.

-rwxr-sr-x 1 boss panther 8192 Jan 1 2021 myProg

Whenever a user that belongs to the "other" group (i.e. not user boss and not belonging to group panther) executes this file, the process is executed with an effective group-id of panther and may access all resources according to the restrictions for group panther.

You have exploited a vulnerability in one of our three challenge programs successfully when you call /bin/grader with the effective group-id of the group that owns the vulnerable program (for our challenge, these are groups bsp[1-3]). In the example above, "myProg" would be considered to be exploited successfully when you are able to call (or force "myProg" to call) /bin/grader with an effective guid of panther. In that case, you receive a message stating that you have solved the assignment and get a code. This code has to be included in your submission to prove to us that your exploit was successful. Don't try to fake, cheat or steal this code.

Deliverables

To submit your challenge solution to us, you need to follow these steps:

1. Create a file called message.txt anywhere under your account (e.g., using vi).
2. Write each code that you have received from /bin/grader for every program you exploited (i.e., prog[1-3]) on a single line in that file (make sure the ordering 1-3 is correct).
3. The message.txt should be signed with your private GPG key, and encrypted using the class GPG public key. Your submission folder should contain the following file:
4. message.txt.asc
5. You submit your project by running the turn-in script as follows:

$ /course/cn5079sp21/bin/turnin project2  

1. where is the name of the directory with your submission(the directory where your message.txt.asc file is located). The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing message file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.
2. Wait a couple of minutes and call the grading script to view the results of the automatic grading program. If you have managed to solve all the three challenges, you will get the full credit.

Submission format

Each answer in your message.txt should be on its own line. For example, your message.txt file might look like the following:

 9e1e54f2b7cda7cedd4c7e8c2b15f9ec:6080:201 c50d332c4f1c675d234654644c0a7557:6080:202 1f64f8699cae93c5245a3ad5757c042a:6080:203 

Grading

This project is worth 6% of your final grade, broken down as follows (out of 100):

• 33.3% points each per answer (three answers)

Points can be lost for turning in files in incorrect formats (e.g. not UNIX-line break ASCII), failing to follow specified formatting and naming conventions, or encrypting/signing your file using the wrong keys.Deadline

This project is due at 11:59 pm February 14, 2021.

Closing words

Good luck and happy hunting!