Attack 7: Do Path Kernel Attack

Overview    Requirement     Preparation    Submission    Resources

 

Overview

do_path kernel function resolves a string of absolute path name of a entry passed as an argument to the function. The path is a concatenation of subsequent path components starting from trailing path component. The concatenated path name is stored into a fixed-length buffer of PAGE_SIZE bytes. If a entry points to a path that exceeds PAGE_SIZE - 1 characters length, leading path components are not written to the buffer and function returns truncated path without an error value.

The goal of this project is to enter a root dir which you do not have right to access.

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)

    (1) Read source code (/smx/src/fs/stadir.c & /smx/src/fs/path.c) and figure out why there is vulnerability in this program and identify the corresponding codes.
    (2) Implement attack procedure to show how can you take advantage of this vulnerability to enter a unauthorized directory.
    (3) Give a solution in report how to eliminate or fix the vulnerability. (You need not implement this solution)

 

Preparing for the project

Download attack7.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo 100: cd /home/seed/ecslogin_id/smx
    apollo 101: tar xvf attack7.tar
    apollo 102: cp path.c src/fs/path.c
    apollo 103: cp proto.h src/fs/proto.h
    apollo 104: cp stadir.c src/fs/stadir

    apollo 105: cd src/fs
    apollo 106: make
    apollo 107: cd ../tools
    apollo 108: minix

    Solaris-Minix  Release 2.0 Version 0
    noname login: normal_user        (suppose your user id is normal_user)
    Password: *****
    $ Begin your work


Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

 Manual page for path command

 What is set-UID

 SetUID FAQ

 Unix Shell Introduction

 Unix Shell Scripts   

 

Updated: 03/13/2005