Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Linux Capabilities & Set-UID Vulnerability BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk
1. Learning Objectives This will be to explore and understand linux capability and Set-UID vulnerabilities 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: 3. Tasks 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf Setup & Installation: 1: Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide): # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two
Task 1 Linux Capabilities 1.1 Linux has multiple ways in which access control can be maintained in order to assign appropriate levels of privilege to certain applications and commands. Libcap is one of the methods in which this can be performed. 1.2 First of all, a small file system must be created on the virtual machine, as capabilities can t be applied to certain types of file system such as the one the virtual machine is running on. The following strings of commands perform this task: # dd if=/dev/zero of=disk.img bs=16k count=16 # mke2fs disk.img # mkdir mnt # mount o loop disk.img mnt This creates the disk image in an acceptable file system format and mounts it to a directory. Commands that we will change the capabilities of must be first copied to this directory in the following way: # cp a /bin/ping mnt 1.3 With the file system created and the ping command copied in to the mounted directory, we can change the capabilities of the ping command. Ping is known as a Set-UID program, which means that normal users can use the program as it temporarily turns the user into a more powerful user, such as root. This provides the potential for an attacker to compromise the program in order to get root privilege. The Set-UID privilege must be removed from the ping command stored in the mounted directory: # chmod u-s mnt/ping This should prevent a normal user from using the ping command, test it by opening a terminal with root access and attempting to run the following command: $ mnt/ping 10.0.2.17 An error should appear stating that the operation is not permitted. 1.4 In order to allow for a normal user to use ping, but without providing ping with too much power, we can set a specific capability to it. The basic reason for ping not working without Set-UID or root permission is that ping needs to open a RAW socket in order to work. The following
command will set the capability for opening a RAW socket without providing actual root access: # setcap cap_net_raw=ep mnt/ping Now try running the command mnt/ping as a normal user and notice that you can now access the command without gaining root privilege. Question/Task: Do the exact same thing to another command that requires root access, such as passwd. What capabilities do you need to apply to passwd in order to make it usable by a normal user without gaining root privilege? Task 2 Set-UID Program Vulnerability 2.1 Set-UID is a set of access right flags in the UNIX operating system that allows for users to run an executable with the permissions of the executable s owner or group respectively. This function can easily be exploited to provide a normal user with unwarranted privileges if countermeasures are not in place. Open up a text editor and create a script that performs a task that would require root access, such as apt-get commands, and then save it as 'something.sh': #!/bin/sh apt-get install <PACKAGE> Above is an example of a script, where <PACKAGE> is the name of any package. This is purely for demonstrative purposes. In a root terminal, now use the following set of commands to provide set-uid functionality to the script: # chown root:root something.sh # chmod 4755 something.sh Now, if we attempt to run the script in a non-root terminal, we will still be confronted with an error stating that we are not root; however, this can be circumvented by making use of a simple C based program. 2.2 Open up another text editor and create this C program: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main() { setuid(0);
} system("/home/user/something.sh"); return 0; NOTE: The "system" line may be different depending on the user, based on where the file "something.sh" was created. Save the program as 'runscript.c', and then use gcc to compile it, changing the permissions to the same as what we set the script 'something.sh' to earlier: # gcc runscript.c -o runscript # chown root:root runscript # chmod 4755 runscript Question/Task: Execute 'runscript' and observe the result.