How software vulnerabilities can be exploited
Objectives:
The main objective of this assignment is for the students to understand the security mechanisms in Unix-like operating systems and their interplay with software security, in particular:
– to learn practical access control mechanisms in Unix operating system, such as files and folder permissions and SUID programs, and how application security is affected by them;
– to learn how software vulnerabilities can be exploited to circumvent security mechanisms in both applications and operating systems.
Problem Description:
There are three problems in this assignment. To do this assignment, you will make use of an installation of Ubuntu Linux 12.04 (32 bit) in the Oracle VirtualBox virtual machine. The VirtualBox image of the Ubuntu installation is provided with this document and can be downloaded from the NTULearn site for this assignment, under the Group assignment menu. The assessment of the solutions to the problems listed below will be entirely done inside this particular installation of Ubuntu.
The Ubuntu installation for this assignment is a clone of the Ubuntu image provided for the tutorial sessions. In particular, it has the following users: admin, alice, bob, charlie, dennis, eve and fong.
User admin has the administrative privilege over the system, i.e., it can escalate its privilege to the root user.
The user bob maintains several applications that allows a user to access a certain ‘secret’, when the right password is provided. These passwords are different from the user account passwords. To distinguish the two, we shall call these passwords as application passwords. Every user is assigned a unique secret and a unique application password. The secrets take the form of a string of alpha numeric characters. The application passwords and the secrets are stored in individual files. The locations for these files are summarized in Table 1. The application passwords are strings of lower- case letters, of length at most 14 characters.
IMPORTANT NOTE: Appendix A provides the account passwords, the application passwords and the secrets for all users. All these passwords and secrets, except those for user ‘charlie’, will be changed during the assessment of your solutions. So your solutions must not hardcode any of these passwords and secrets other than charlie’s.
Table 1. Locations of application passwords and secrets. Each password is stored in a file called ‘password’, and each secret is stored in a file called ‘secret’.
There are three main programs that a user can use to display his or her secret:
– user-secret: This program is used to access the secrets for the following users only: alice, charlie, dennis, eve and fong. It takes two arguments: a user name and an (application) password. If the application password supplied is correct for that user, the secret for the user will be displayed. The following screenshot shows an example of the output of a normal run of the program.
– bob-secret: This program is used by user bob to access his secret. It takes one argument, which is bob’s application password. If the password is correct, bob’s secret will be displayed. The following screenshot shows an example of the output of a normal run of the program.
– admin-secret: This program is used by user admin to access its secret. It takes one argument, which is admin’s application password. If the password is correct, admin’s secret will be displayed. The following screenshot shows the output of a normal run of the program.
In addition to the above three programs, there are additionally two helper programs:
– show-secret: This program is invoked by bob-secret to display bob’s secret, in case of a successful authentication check. It is not supposed to be invoked by the users directly.
– register: This program is invoked by bob-secret to display an error message in case of an unsuccessful authentication check. It is not supposed to be invoked by the users directly.
All of the above programs, except for register, are SUID programs. Table 2 lists the locations of the binaries of the programs. The source code of these programs are written in C and are located in the same directory as their binaries. For your convenience, the source code of these programs are included in Appendix B.
There are further details about the permissions of each program above that you need to discover on your own. Pay particular attention to the SUID programs and their owners.
Table 2. Program locations
There are 3 (three) problems you need to solve for this assignment. For each problem, you are asked to write an attack program or script. These attack programs/scripts must be executed using user charlie’s account. So in the following, we assume all attack programs/scripts are located in
/home/charlie/.
Problem 1
Your first task is to write an attack script or a program to display the secret of any of the following users: alice, charlie, dennis, eve, or fong. The attack program takes one argument, which is the user you want to attack. The attack must work when executed by user charlie. If your program/script works correctly, it should show something that looks like the following:
1012_figure.jpg
That is, each successful attack should display the word ‘Secret: ‘, followed by a string that is the secret.
Problem 2
For this problem, you are asked to write an attack script/program to display bob’s secret. The attack program takes no argument. As in Problem 1, this attack must work when launched by user charlie. The following screenshot shows what a successful attack should look like:
1821_figure1.jpg
Problem 3
For Problem 3, you are asked to write a script/program to display the application password and the secret of the admin user. The attack program takes no argument. A successful attack should output something like the following:
