Attack 6: Passwd Attack

Overview Requirement Preparation Submission Resources

Overview

In minix, “passwd” command has a "-F/-f" flag allowing user to specify the file to use (instead of /etc/passwd). To run successfully, the specified file’s owner must be root and can not be writable to other user. However there exists a vulnerability in it, user can use it to see most files’ content (hint: why not all, think it. For example, you can not see /etc/shadow) with the owner of root.

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)

    (1) Read source code (/smx/src/commands/simple/passwd.c and /smx/src/lib/other/getpwent.c) and figure out why there is vulnerability in this program and identify the corresponding codes
    (2) Implement attack procedure to show how can you take advantage of this vulnerability to see root’s file content.
    (3) Give a solution in report how to eliminate or fix the vulnerability. (You need not implement this solution)

Preparing for the project

Download attack6.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo: cd /home/seed/ecslogin_name/smx
    apollo: tar xvf attack6.tar
    apollo: cp getpwent.c src/lib/other/getpwent.c
    apollo: cp passwd.c src/commands/simple/passwd.c

    apollo: cd src/lib
    apollo: make all
    apollo: cd ../commands/simple
    apollo: make
    apollo: cd ../../tools
    apollo: rm image
    apollo: make image
    apollo: minix

    Solaris-Minix Release 2.0 Version 0
    noname login: root
    Password: *****
    ! sunread ../commands/simple/bin/passwd>/usr/bin/passwd
    ! chmod 4755 /usr/bin/passwd
    ! exit

    noname login: normal_user (suppose your user id is normal_user)
    Password: *****
    $ Begin your work

Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

　Manual page for passwd command

　Manual page for getpwent command

　What is set-UID

　SetUID FAQ

　Unix Shell Introduction

　Unix Shell Scripts　　

Updated: 03/13/2005