Attack 2: "su" setuid Attack
Overview Requirement Preparation Submission Resources
Overview
"su” command is a setuid program, which permits a logged-in user to change his or her user ID, provided the user can authenticate himself by entering the password for the new user ID. There exists a vulnerability in this program, which can be used to obtain a root shell by any user.
Project Requirements
We want to see a working demonstration of your exploitable implementation (note: if all the requirements are not satisfied, grades will be based on what you turn in)
(1) Read source code (/smx/src/commands/simple/su.c and /smx/src/fs/open.c) and figure out when system creates a root shell in this program and identify the corresponding codes. Think how can you use it to get a root shell. (hint: use deny of service attack)
(2) Implement attack programs or attack steps to show how can you take advantage of this vulnerability to gain a root shell using a normal user shell.
(3) Give a solution in report how to eliminate or fix the vulnerability. (You need not implement this solution)
Preparing for the project
Download attack2.tar from website and save it in your smx/ directory;
Execute following steps:
apollo 100: cd /home/seed/ecslogin_id/smx
apollo 101: tar xvf attack2.tar
apollo 102: cp limits.h include/limits.h
apollo 103: cp su.c src/commands/simple/su.c
apollo 104: cp open.c src/fs/open.c
apollo 105: cd src/commands/simple
apollo 106: make
apollo 107: cd ../fs
apollo 108: make
apollo 109: cd ../tools
apollo 110: minix
Solaris-Minix Release 2.0 Version 0
noname login: root
Password: *****
! sunread ../commands/simple/bin/su>/usr/bin/su
! chmod 4755 /usr/bin/su
! exit
noname login: normal_user (suppose your user id is normal_user)
Password: *****
$ Begin your work
Submission & Demonstration
You are expected to submit a hardcopy report of your attack. In your report, you should specify the procedures you implement the attacks, explain why you consider your attack is successful, and what procedure may help to fix the vulnerability.
Also, you will need to demonstrate your attacks to TA. Here is your demonstration schedule.
Helpful Documents
Manual page for SU command
What is set-UID
SetUID FAQ
Unix Shell Introduction
Unix Shell Scripts
Updated: 03/13/2005