Attack 5: Elvis Temporary File Attack

Overview    Requirement     Preparation    Submission    Resources

 

Overview

Elvis is an editor in minix, just like vi in unix, which has a flaw that allows a local attacker to corrupt files. The editors create temporary files to corrupt files that the user running the editor has permissions to.

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)  

    (1)    Find out where elvis creates temporary file and what is the rule to name these files. Locate and read the corresponding codes
    (2)    Implement attack procedures to show how can you take advantage of this vulnerability to corrupt files which you are not allowed to access
    (3)    Give a solution in report how to eliminate or fix the vulnerability. (You need not implement this solution)

 

Preparing for the project

Download attack5.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo 100: cd /home/seed/ecslogin_id/smx
    apollo 101: tar xvf attack5.tar
    apollo 102: cp tmp.c src/commands/elvic/tmp.c

    apollo 103: cd src/commands/elvis
    apollo 104: make
    apollo 105: cd ../tools
    apollo 106: minix

    Solaris-Minix  Release 2.0 Version 0
    noname login: root
    Password: *****
    ! sunread ../commands/elvis/elvis >/usr/bin/elvis
    ! chmod 755 /usr/bin/elvis
    ! exit

    noname login: normal_user (suppose your user id is normal_user)
    Password: *****
    $ Begin your work

Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

 What is elvis editor

 elvis editor 

 What is set-UID

 SetUID FAQ

 Unix Shell Introduction

 Unix Shell Scripts

 

Updated: 03/13/2005