Attack 4: set path Attack

Overview    Requirement     Preparation    Submission    Resources

 

Overview

Some setuid or setgid programs use system() function to call other commands. If a command is called by relative path, such as system(“ls”), system will search “ls” in default paths, which is set in environment when login. With no arguments, set command displays all environment variables in minix. These variables can be temporarily changed by current user.

The goal of this project is to use this vulnerability to escalate privilege, do something that only root user can do, such as “cat /etc/shadow” or “rm /etc/passwd”. 

Project Requirements

We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)     

    (1) Read source code (/smx/src/commands/simple/at.c) and figure out how can we exploit this vulnerability.
    (2) Implement a simple attack programs to show how can you use this vulnerability to execute some commands only root user can do.
    (3) Give a solution in report how to eliminate or fix the vulnerability. (You need not implement this solution)

Preparing for the project

Download attack4.tar from website and save it in your smx/ directory;
Execute following steps:

    apollo 100: cd /home/seed/ecslogin_id/smx
    apollo 101: tar xvf attack4.tar
    apollo 102: cp at.c src/commands/simple/at.c

    apollo 103: cd src/commands/simple
    apollo 104: make
    apollo 105: cd /home/seed/ecslogin_name/smx/src/tools
    apollo 106: minix

    Solaris-Minix Release 2.0 Version 0
    noname login: root
    Password: *****
    ! sunread ../commands/simple/bin/at>/usr/bin/at
    ! chmod 4755 /usr/bin/at
    ! exit

    noname login: normal_user        (suppose your user id is normal_user)
    Password: *****
    $ Begin your work

 

Submission & Demonstration

You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.

Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.

Helpful Documents

 Manual page for at command

 What is set-UID

 SetUID FAQ   

 

Updated: 03/13/2005