Attack 1: Race Condition Attack

Overview    Requirement (Mandatory/Bonus)    Preparation    Submission    Resources

 

Overview

A race condition is an undesirable situation that occurs when system attempts to perform two or more operations at the same time, but because of the nature of the system, the operations must be done in the proper sequence in order to be done correctly.

In this project, we provide a vulnerable setuid program. You can use race condition to attack this program to get some unauthorized privilege.

For example, if the procedure of a program to remove a file is 1) to check the write permission 2) delete it, we can take advantage of context switch between 1) and 2) to let this program check the permission of A while delete B.

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)

Mandatory Requirement:

    (1) Read source code (/smx/src/commands/simple/at.c) and figure out why there is race condition vulnerability in this program and identify the corresponding codes.
    (2) Implement attack programs (C or shell) to show how can you take advantage of this vulnerability to obtain unauthorized privilege.
    (3) Give a solution in report how to eliminate or at least reduce the chance of race condition. (You need not implement this solution)

Bonus Part:

    If change mkdir to be a setuid program, what is the outcome of it. Identify corresponding code which may cause a problem and describe how can you exploit it.

Preparing for the project

Download attack1.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo 100: cd /home/seed/ecslogin_id/smx
    apollo 101: tar xvf attack1.tar
    apollo 102: cp at.c src/commands/simple/.

    apollo 103: cd src/commands/simple
    apollo 104: make
    apollo 105: cd /home/seed/ecslogin_name/smx/src/tools
    apollo 106: minix

    Solaris-Minix Release 2.0 Version 0
    noname login: root
    Password: *****
    ! sunread ../commands/simple/bin/at>/usr/bin/at
    ! chmod 4755 /usr/bin/at
    ! exit   

    noname login: normal_user        (suppose your user id is normal_user)
    Password: *****
    $ Begin your work

Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

 Manual Page for at command

 Race Condition

 Linux Ptrace race condition allows a local attacker to gain root privileges

 What is set-UID

 SetUID FAQ

 

Updated: 03/13/2005