Shellbased Wargaming

Transcription

1 Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested in learning about computer security. This document is not intended to learn specific techniques, as that is the the purpose of wargaming itself. This document does not cover the basics of Unix systems nor the basics of programming. 1 Introduction Once in a while media reports about a security problem that allowed a virus to infect a system or a hacker to break in. Have you ever wondered what caused this? The problem is mostly an error made by the programmer, but how does those errors look? Wouldn t it be better if the programmers knew about those errors before they wrote the programs so they could write stable and more secure programs from the beginning? Wargames consisting of levels with programming bugs in them. The goals of the levels are to find the security bugs and exploit them. The goal of the wargame is to educate about security and how programs shouldn t be written. Skills needed to play (or needed to learn while playing) includes common sense, patience, searching in manuals, details of unix systems and commands, programming (mostly C), reverse engineering and thinking out of the box. 1

2 2 Concepts Shellbased wargaming is mostly played on a dedicated Linux server via the remote login service ssh. 2.1 Unix permissions Each file in an unix system has permissions assigned to it. $ ls -l -r-sr-x--- 1 levely levelx 6949 example -rw-r levely levelx 69 example.c -rw levely levely 20 password -rwxr-sr-x 1 root game 7383 adventure -rw-rw-r-- 1 root game 234 highscore This is a directory listing, showing their owners, groups and permissions of the files. example, example.c and password are owned by levely, but example and example.c are in the group levelx. 2.2 User ID Each process on a UNIX system has a user id and a group id, and also an effective user id and effective group id. These are commonly abbriviated to UID, GID, EUID and EGID. Some processes requires to run at higher priviledges. In the listing above, there is the game adventure and it s hiscore file. A user should not be able to edit the highscore file directly, only when running the game. adventure has an s instead of an x in the group execute permission. This means that when adventure is run, the process will run with an effective group id of game, thus allowing it to edit the highscore file. We say that adventure runs setgid, or that it is a setgid-binary 1. Similarly, the example is a setuid-binary. It will run with an effective user id of levely. 1 Binary is another word for executable, referring to the file itself 2

3 2.3 Privilege escalation The game progress in wargaming is done by privilege escalation. A program is buggy if the behaviour of the program is not well defined for all situations. A program is vulnerable if a user can control the flow of the program, making it do things it wasn t intended to do. If a user can control the flow of a program running with another effective user id, that user gets all the permissions of that user, which is a security breach. A level in a shell-based consists (most of the time) of a setuid binary with a security vulnerability. Exploiting can be done by reading a file that contains the password for the next level or, most commonly, by tricking the program to spawn a shell with the privileges of the next level. Note that it is necessary to log in as the next level to get the group id set. The group id is necessary to play the next level. 3 Examining To find a vulnerability, the inner workings of the program must be examined. Sometimes the source code is available, otherwise the binary must be examined to find out if and how it might be exploited. The process when the inner functions of a compiled program is determined is called Reverse Engineering. When you have found out what the program does, try asking yourself the question: What was this program not designed to handle? What if it is fed with a large string, a negative number or a string with strange characters in it? Does the program assume things that aren t always true? 3.1 Tools for examining binaries strings ltrace strace gdb objdump Extracts text stored in a binary file Traces library calls made by the program Traces system calls made by the program The GNU debugger Extract information from a binary 3

4 4 Exploiting When a vulnerability is found, an exploit should be written. This includes some research about the vulnerability, finding offsets and so on. 5 Example This example lacks details on the theory behind why the exploit works, the reader is encouraged to do independent research. The following program written in C demonstrates a buffer overflow. ls -l -r-sr-x--- 1 levely levelx 6949 example -rw-r levely levelx 69 example.c This level consists of a small suid binary with source code. /* example.c */ #include <stdio.h> int main() { char a[20]; gets(a); return 0; } From the gets() manual page: SECURITY CONSIDERATIONS The gets() function cannot be used securely. Because of its lack of bounds checking, and the inability for the calling program to reliably determine the length of the next incoming line, the use of this function enables malicious users to arbitrarily change a running program s functionality through a buffer overflow attack. So what happens if this program is given a string longer than 20 characters?./example AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault 4

5 The program crashed, because important data was overwritten. By using a debugger, it is possible to find the cause to the crash. gdb -q./example (gdb) r Starting program:./example AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x in?? () (gdb) The program is crashing because it tried to execute program code at memory address 0x Why? The hexadecimal representation of A is 0x41. Note that for the processor, there is no difference between characters, integers or memory pointers. It s how the data is used that matters. In this case, the function return pointer was overwritten by a buffer overflow. It s now possible to control where in the memory the program executes code. By choosing data that points to program code that say, spawns a shell, the program will spawn a shell. For more theory behind how to exploit a buffer overflow, see Smashing the stack for fun and profit by Alef 0 First, which of all A s overwrites the return-pointer? And where are our string? (gdb) r Starting program: /tmp/example AAAAAAAAAAAAAAAAAAAABCDEFGHIJKLM Program received signal SIGSEGV, Segmentation fault. 0x in?? () (gdb) x $esp 0xbfffdd40: 0x4d4c4b4a (gdb) 5

6 6 Tips and Tricks 6.1 Manual pages As soon as there is a strange command or function that you are not sure about, strstr for example, just type man strstr in your terminal. This can not be taken to easily, there is even an acronym for it. RTFM - read the friendly manual. 6.2 Bash Sometimes an exploit needs to be submitted to standard input. As a shell closes when it detects EOF 2, the following trick might be used to continue to give input after the exploit has been fed to the program. (perl -e print "exploit" ; cat)./binary 6.3 Perl Perl is a great scripting tool when wargaming. It is possible to run small scripts directly from the shell with the -e flag. Large strings are easily produced../binary $(perl -e print "A"x10000 ) That is a lot more handy than writing./binary AAAAAAAAAAAAAAAAAAAAAAA times...AAA 6.4 gdb In gdb, exploit code can be given as an argument (gdb) r $( perl -e exploitcode ) or to standard input (gdb) r < <( perl -e exploitcode ) There is a space between the less-than signs. This is because of process substitution. More about that can be found on the internet and in the bash manual page. 2 End of file 6

7 7 List of wargame communities