Attack 3: stdio Attack

Overview Requirement Preparation Submission Resources

Overview

By convention, POSIX systems associate file descriptors 0, 1, and 2 with standard input, standard output, and standard error, respectively. Almost all applications give these stdio file descriptors special significance, such as writing error messages to standard error (file descriptor 2). In new processes, all file descriptors are duplicated from the parent process. Unless these descriptors are marked close-on-exec, they retain their state during an exec.

All POSIX systems assign file descriptors in sequential order, starting with the lowest unused file descriptor. For example, if a newly exec'd process has file descriptors 0 and 1 open, but file descriptor 2 closed, and then opens a file, the new file descriptor is guaranteed to be 2 (standard error).

In this project, a new setuid program “set” is given for students to implement this attack. The goal is to damage or insert some other garbage information into /usr/adm/syslog file, which can only be accessed by super-user.

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)

    (1) Read source code (/smx/src/commands/simple/register.c, /smx/src/lib/stdio/fclose.c, /smx/include/stdio.h) and figure out why there is vulnerability in this program and identify the corresponding codes.
    (2) Implement a simple attack programs to show how can you take advantage of this vulnerability to corrupt /usr/adm/syslog file.
    (3) Give a solution in report how to eliminate or at least reduce the vulnerability. (You need not implement this solution)

Preparing for the project

Download attack3.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo 100: cd /home/seed/ecslogin_id/smx
    apollo 101: tar xvf attack3.tar
    apollo 102: cp stdio.h include/stdio.h
    apollo 103: cp fclose.c src/lib/stdio/fclose.c
    apollo 104: cp register.c src/tools/register.c

    apollo: cd src/lib
    apollo: make all
    apollo: cd ../commands
    apollo: make all
    apollo: cd ../tools
    apollo: rm image
    apollo: make image
    apollo: mcc register.c –o register
    apollo: minix

    Solaris-Minix Release 2.0 Version 0
    noname login: root
    Password: *****
    ! sunread register>/usr/bin/register
    ! chmod 4755 /usr/bin/register
    ! exit

    noname login: normal_user        (suppose your user id is normal_user)
    Password: *****
    $ Begin your work

Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

　Manual page for Syslog

　File Descriptor Manipulation

　What is set-UID

　SetUID FAQ

Updated: 03/13/2005