Question: Describe and demonstrate how you gained a root shell by exploiting the security flaw in the program from Code Listing 5 and Suggest how the programmer could have avoided the security flaw in the program.

The Set-UID program in Code Listing 5 is supposed to execute the /bin/ls command; however, it has a security flaw as the programmer only uses the relative path for the ls command, rather than the absolute path: #include #include #include #include int main() { printf ("calling system (ls): "); system ("ls"); return 0; } Code Listing 5: Calling 'Is' via a system() call Note: The system (cmd) command executes the /bin/sh program first, and then asks the new shell program to run the (cmd) command. In Ubuntu 20.04 the /bin/sh program is a symbolic link that points to the /bin/dash shell. $ ls -itr /bin/sh 1rwxrwxrwx 1 root root 4 Feb 6 2021 /bin/sh -> dash The dash shell in Ubuntu 20.04 has a countermeasure that prevents itself from being executed in a Set-UID process. If dash detects that it is executed in a Set-UID process, it immediately changes the effective user ID to the process's real user ID, essentially dropping the privilege. Since our victim program is a Set-UID program, the countermeasure in /bin/dash will prevent our attack. To see how our attack works without such a countermeasure, we will link /bin/sh to another shell that does not have such a countermeasure. We have installed a shell program called zsh in our UWECyber VM. Use the following commands to link /bin/sh to zsh. $ sudo rm /bin/sh $ sudo in -s /bin/zsh /bin/sh