Linux Capabilities & Set-UID Vulnerability

Similar documents
GNU/Linux: An Essential Guide for Students Undertaking BLOSSOM

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

Linux Capability Exploration Lab

Capability and System Hardening

Race Condition Vulnerability Lab

Exploiting capabilities Parcel root power, the dark side of capabilities

Chapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories

LPI LPI Level Junior Level Linux Certification Part 1 of 2. Download Full Version :

INF322 Operating Systems

Welcome to getting started with Ubuntu Server. This System Administrator Manual. guide to be simple to follow, with step by step instructions

Everything about Linux User- and Filemanagement

Using KVM On Ubuntu 7.10 (Gutsy Gibbon)

Installing and Patching Oracle

Operating systems fundamentals - B10

Exercise 4: Access Control and Filesystem Security

Linux Systems Administration Getting Started with Linux

INTRODUCTION TO LINUX

Embedded System Design

Dirty COW Attack Lab

Installing and Patching Oracle

Introduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

Working with Basic Linux. Daniel Balagué

CS Programming Languages Fall Homework #2

Operating Systems Linux 1-2 Measurements Background material

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Least-Privilege Isolation: The OKWS Web Server

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Secure Architecture Principles

Introduction to Linux

Shellbased Wargaming

[S9I ] gtmsecshr vulnerability Security Advisory Page 1 of 6

Linux Systems Administration Shell Scripting Basics. Mike Jager Network Startup Resource Center

Lab E2: bypassing authentication and resetting passwords

Buffer Overflow Vulnerability

Secure Software Programming and Vulnerability Analysis

TJU Syllabus for Linux Fundamentals and Applications

CS/CIS 249 SP18 - Intro to Information Security

Buffer Overflow Vulnerability Lab

OS security mechanisms:

Filesystem Hierarchy Operating systems I800 Edmund Laugasson

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions

LAB #7 Linux Tutorial

Operating Systems Security Access Control

GNU/Linux 101. Casey McLaughlin. Research Computing Center Spring Workshop Series 2018

Stack Debugging. Young W. Lim Thr. Young W. Lim Stack Debugging Thr 1 / 12

CIS 5373 Systems Security

Operating Systems Lab

CS155: Computer Security Spring Project #1

SAS Event Stream Processing 4.1: Deployment Guide

Linux Kung-Fu. James Droste UBNetDef Fall 2016

CIT 480: Securing Computer Systems. Operating System Concepts

Lab #9: Configuring A Linux File Server

Operating system security models

Capabilities. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

Learning ASM Using a Single Disk Drive On the Apple OS X and Linux Platforms

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

SE Linux Implementation LINUX20

Intro to HPC Exercise

Unix Introduction to UNIX

Filesystem Hierarchy and Permissions

Stop all processes and then reboot - same as above startx. Log in as superuser from current login exit

CptS 360 (System Programming) Unit 6: Files and Directories

1 Virtualization Recap

CS631 - Advanced Programming in the UNIX Environment

Using Symantec NetBackup 6.5 with Symantec Security Information Manager 4.7

SAS Event Stream Processing for Edge Computing 4.3: Deployment Guide

Practical Techniques to Obviate Setuid-to-Root Binaries

Discretionary Access Control

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

CS 361S - Network Security and Privacy Spring Project #2

Security Enhanced Linux

Using The Hortonworks Virtual Sandbox Powered By Apache Hadoop

Docker & why we should use it

Setting up a Chaincoin Masternode

File System. yihshih

How to Create a NetBeans PHP Project

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

Parents and Children

Privileges: who can control what

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Data Security and Privacy. Unix Discretionary Access Control

Table 12.2 Information Elements of a File Directory

Running SAS Deployment Wizard on UNIX with a Nonroot User Account and IBM WebSphere Application Server

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

15. Creating a Samba Server in Knoppix v.3

CS 356 Operating System Security. Fall 2013

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

Module 4: Access Control

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

CSCE 313 Introduction to Computer Systems

First steps on Linux and programming

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Linux

Processes are subjects.

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Introduction to Linux (Part II) BUPT/QMUL 2018/03/21

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Visara Master Console Center. Software Installation P/N

Security Architecture

ROUNDTABLE TSMS 10.1C - Unix. Installation Guide

Transcription:

Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Linux Capabilities & Set-UID Vulnerability BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk

1. Learning Objectives This will be to explore and understand linux capability and Set-UID vulnerabilities 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: 3. Tasks 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf Setup & Installation: 1: Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide): # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two

Task 1 Linux Capabilities 1.1 Linux has multiple ways in which access control can be maintained in order to assign appropriate levels of privilege to certain applications and commands. Libcap is one of the methods in which this can be performed. 1.2 First of all, a small file system must be created on the virtual machine, as capabilities can t be applied to certain types of file system such as the one the virtual machine is running on. The following strings of commands perform this task: # dd if=/dev/zero of=disk.img bs=16k count=16 # mke2fs disk.img # mkdir mnt # mount o loop disk.img mnt This creates the disk image in an acceptable file system format and mounts it to a directory. Commands that we will change the capabilities of must be first copied to this directory in the following way: # cp a /bin/ping mnt 1.3 With the file system created and the ping command copied in to the mounted directory, we can change the capabilities of the ping command. Ping is known as a Set-UID program, which means that normal users can use the program as it temporarily turns the user into a more powerful user, such as root. This provides the potential for an attacker to compromise the program in order to get root privilege. The Set-UID privilege must be removed from the ping command stored in the mounted directory: # chmod u-s mnt/ping This should prevent a normal user from using the ping command, test it by opening a terminal with root access and attempting to run the following command: $ mnt/ping 10.0.2.17 An error should appear stating that the operation is not permitted. 1.4 In order to allow for a normal user to use ping, but without providing ping with too much power, we can set a specific capability to it. The basic reason for ping not working without Set-UID or root permission is that ping needs to open a RAW socket in order to work. The following

command will set the capability for opening a RAW socket without providing actual root access: # setcap cap_net_raw=ep mnt/ping Now try running the command mnt/ping as a normal user and notice that you can now access the command without gaining root privilege. Question/Task: Do the exact same thing to another command that requires root access, such as passwd. What capabilities do you need to apply to passwd in order to make it usable by a normal user without gaining root privilege? Task 2 Set-UID Program Vulnerability 2.1 Set-UID is a set of access right flags in the UNIX operating system that allows for users to run an executable with the permissions of the executable s owner or group respectively. This function can easily be exploited to provide a normal user with unwarranted privileges if countermeasures are not in place. Open up a text editor and create a script that performs a task that would require root access, such as apt-get commands, and then save it as 'something.sh': #!/bin/sh apt-get install <PACKAGE> Above is an example of a script, where <PACKAGE> is the name of any package. This is purely for demonstrative purposes. In a root terminal, now use the following set of commands to provide set-uid functionality to the script: # chown root:root something.sh # chmod 4755 something.sh Now, if we attempt to run the script in a non-root terminal, we will still be confronted with an error stating that we are not root; however, this can be circumvented by making use of a simple C based program. 2.2 Open up another text editor and create this C program: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main() { setuid(0);

} system("/home/user/something.sh"); return 0; NOTE: The "system" line may be different depending on the user, based on where the file "something.sh" was created. Save the program as 'runscript.c', and then use gcc to compile it, changing the permissions to the same as what we set the script 'something.sh' to earlier: # gcc runscript.c -o runscript # chown root:root runscript # chmod 4755 runscript Question/Task: Execute 'runscript' and observe the result.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback