EC310 Twelve Week Exam Spring 2015 April 2, 2015 United States Naval Academy Electrical and Computer Engineering Department EC310 - 12 Week Midterm – Spring 2015 1. 2. 3. 4. 5. 6. Do a page check: you should have 8 pages including this cover sheet. You have 50 minutes to complete this exam. A calculator may be used for this exam. This is a closed book and closed notes exam. You may use two single-sided hand-written pages of notes. Turn in your two single-sided hand-written pages of notes with your exam. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is permitted concerning this exam with anyone who has not yet taken the exam. Name: ____KEY________________ Instructor: ____________________ Problem Topic Possible 1 Buffer Overflow 16 2 Routing 12 3 Ethernet and Address Resolution 28 4 IP and Man-in-the-Middle Attack 44 TOTAL 100 Points Page 1 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 Question 1 (16 pts). You are using a Linux system where no user has been granted sudo privileges. After typing in the command ls –l gethappy.exe you see: This file is owned by atwood who is a member of the group named instructor. (a) (3 pts) You (midshipman) are not a member of the group instructor. What command would atwood have to enter to give you (and all other users) permission to read and execute the gethappy.exe file? Answer: chmod o+rx gethappy.exe OR chmod o=rx gethappy.exe 1 point for chmod, 1 point for o+rx, 1 point for file name The owner atwood then makes some changes to permissions and you now see: Suppose that Evil Jose is executing the file gethappy.exe. He inserts malicious code onto the program's stack. His malicious code is 40 bytes long and is intended to open a command prompt. He guesses that his 40byte exploit is on the stack at address bffff7d0, so he follows his exploit with several repetitions of this return address. The picture on the below left indicates how Jose believes the stack is arranged. Unfortunately (for him), Evil Jose guessed wrong about the location of his 40-byte exploit: it is actually stored starting at address bffff7cc. The picture on the below right indicates how the stack is actually arranged. (Note that Jose did guess the correct location of where the return address is stored.) Jose finds out that his attack is not working. What Evil Jose Believes the Stack Looks Like Reality: The Actual Stack This question continues on the next page. Page 2 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 (b) (6 pts) Explain how Evil Jose should have crafted his attack to successfully execute a buffer overflow without needing to guess the exploit location exactly. Your answer should be no more than a few sentences, and should indicate what specific tool or technique Evil Jose should have employed, and why this technique would have helped him. Correct student answer (but the picture below is not required): Evil Jose should have prefaced his 40-byte exploit with a NOP sled. Since he does not know the exact location of where the buffer is located in memory, a NOP sled allows him to be a little off with the return address. For example, if he entered 8 NOPs, the stack would look like that shown below, and his attack would have worked. Use judgment on grading. Give 3 points for mention of NOP sled and 3 points for a quasi-grammatical explanation of how it helps. Comment: In actuality, given how the stack was actually organized, 4 NOPs would have resulted in a successful attack, but more than 24 NOPs would have led to failure for a different reason: the 40-byte exploit would then start overwriting the return address. Comments: The problem: Jose's exploit fails because when the return address bffff7d0 is loaded into the buffer, execution starts four bytes into the exploit (not at the start of the exploit). Although Jose correctly overrode the section of memory containing the return address, the value he chose as the new return address—bffff7d0—was not the correct location of the start of the exploit. The student should get minimal points for saying: "Jose should change the return address to bffff7cc so that execution begins at the start of his exploit." Recall that Jose does not know where his exploit is located, and an exhaustive search of all possible return addresses is not a good and helpful tool/approach. The student should get no points for saying: "Jose should have placed the starting location for his buffer entry at a different location in memory." Recall that Jose has no control of where the compiler has placed the target buffer in memory. Whatever he types into the buffer is going to begin at address bffff7cc. Page 3 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 (c) (3 pts) Suppose Evil Jose eventually gets his exploit to work, and opens a command prompt. When Evil Jose performs this attack, whose command prompt opens? Explain. Answer: A command prompt for atwood opens. Deduct 2 points for answer: “root”. Explanation: Since the setuid flag is set on this file, Jose is running the program as though he were the file's owner. If he then opens a command prompt, a command prompt for the file owner (atwood) would be opened. (d) (4 pts) Explain how monitoring/checking of the eip register can prevent a program from being exploited by a buffer overflow. Be specific. The eip register should never hold an address that is outside the program's allotted text segment. Specifically, the eip register should never be permitted to hold an address that is in the stack's address range. This is the "non-executable stack" technical solution. Use judgment on grading. No points should be given if the student does not present a solution that mentions the need to ensure that the eip register values should be restricted to a addresses within a certain range. Question 2 (12 pts). Consider the network shown below, where the numbers on the links indicate the cost of using that link. For example, the cost of using the link from Router A to Router B is 7. The network uses link state routing. (a) (6 pts) Sketch the Link State Packet (LSP) that is crafted by Router A. Fill in your answer in the table below. Router LSP for Router A Router B G H Weight 7 1 3 Weight One point per entry. Deduct one point for each incorrect/superfluous entry. Grade cannot be less than zero. (b) (6 pts) Router A sends an IP packet to Router D. What is the path that this packet traverses through the network? (Your answer should consist of a series of routers, e.g.: "A-B-C-D"). Answer: A–G–B–E– C–D One point per entry. Deduct one point for each incorrect entry Page 4 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 Question 3 (28 pts). Consider the 10 Mbps Ethernet used by the six users (five midshipmen and Evil Jose) shown below. For each user, we show symbols denoting the IP address and Ethernet address. For example, MIDN Happy has IP address A and Ethernet address U. (a) (2 pts) How many bits are in an Ethernet address? Answer: 48 NPC (b) (2 pts) What layer of the TCP/IP reference model does the bridge operate at? Answer: Data Link NPC (c) (4 pts) What is the effective data rate seen by MIDN Happy? Answer: 2.5 Mbps. Deduct 2 pts for 3.33 Mbps (d) (4 pts) If the bridge were to be replaced by a hub, what would be the effective data rate seen by MIDN Happy? Answer: 10 Mbps / 6 users = 1.67 Mbps . NPC MIDN Happy now wants to send an IP packet to his friend MIDN GoLucky. He knows MIDN GoLucky's IP address is C. To determine MIDN GoLucky's Ethernet address, MIDN Happy sends an ARP Request Message. (e) (3 pts) What Ethernet address is used as the destination address in the frame that contains the ARP Request Message in its data field? Answer: The broadcast address OR FF:FF:FF:FF:FF:FF. NPC (f) (3 pts) When an IP packet is placed in the data field of an Ethernet frame, the IP packet is said to be (choose one): (i) (ii) (iii) (iv) (v) Packetized Encapsulated Framed Segmented Transported NPC This question continues on the next page. Page 5 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 (g) (4 pts) After learning MIDN GoLucky's Ethernet address, MIDN Happy sends a 9001 byte IP packet to MIDN GoLucky. How many Ethernet frames were needed to send this IP packet? Show work. Answer: 9001/1500 = 6.0007 … so seven frames are needed. Deduct one point for answer: “6” (h) (6 pts) Suppose that a number of ARP exchanges have taken place and all six users have a complete and correct ARP cache, showing the correct IP address – Ethernet address pairings for all users. MIDN Happy then launches an ARP spoofing attack against Evil Jose. After completing the attack, whenever a user sends an IP packet to Evil Jose , the IP packet will be sent to MIDN Happy instead. To accomplish this attack, MIDN Happy sends an unsolicited ARP reply that contains an incorrect IP address – Ethernet address pairing. Construct the complete ARP cache for MIDN GoLucky after the ARP spoofing attack is completed. Place your answer in the table below. Use the IP address and Ethernet address symbols shown in the figure on the previous page. ARP cache for MIDN GoLucky IP Address Ethernet Address A U B U C W D X E Y F Z Two points for correct first line (MIDN Happy) Two points for correct second line (Evil Jose) 2 points for the remaining lines. No penalty if the midshipmen do not include the table entry for MIDN GoLucky ( C - W ). Page 6 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 Question 4 (44 pts). Examine the network shown below. MIDN Happy (whose IP address is 2.2.2.10) regularly accesses the EC310 website (IP address 7.7.7.179). (a) (2 pts) How many bytes are in an IP address? Answer: 4 NPC (b) (10 pts) Considering the network shown above, construct the routing table for Router B. Place your answer in the table below, leaving any unused rows blank. ( 3 pts for correct mask order, 2 point for last line in table, 2 points for Network address column, 2 points for Next-hop column, 1 points for interface column) (c) (2 pts) What layer of the TCP/IP reference model does a router (such as RB in the picture) operate at? Answer: Network NPC This question continues on the next page. Page 7 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 (d) (2 pts) In one sentence, what is the purpose of a network mask? Answer: The network mask is used to extract the network ID from an IP address. NPC Evil Jose is located on the 5.5.5.0/24 network and wants to prevent MIDN Happy from reaching the EC310 website at 7.7.7.179. He turns his computer into a router using Loki and advertises a false network. The advertisement for this false network propagates to Router RB. Answer for part (g) * In the table below, under the target's network (7.7.7.128), and the target's IP address (7.7.7.179) the bit values corresponding to the first three octets have been filled in. (e) (4 pts) In the table below, fill in the bit-values for the last octet of the target's network and the target's IP address. Two points for each entry (f) (8 pts) Design a false network! Specifically, state the network ID for the false network you would use. Use the table above to show your work. Your answer should be of the form W.X.Y.Z/n. Answer: See figure above. 7.7.7.160 / 27 ( or 7.7.7.176 / 28 or 7.7.7.176/29 ) Use judgment on grading. No points for meaningless answers. This question continues on the next page Page 8 of 9 EC310 Twelve Week Exam Spring 2015 April 2, 2015 (g) (4 pts) The network administrator has decided to employ a passive interface to spoil this attack. Select the best router, and a best interface on that router, for employment of a passive interface. (Note that this question is asking you to first choose the best router, and then choose one of the interfaces on that specific router.) Answer this question by placing an asterisk directly next to your chosen router interface on the picture on the preceding page, and writing next to this asterisk: "Answer for g". See picture. Deduct two points if answer is given as m0 interface on RB; no credit for other answers. Questions (h) – (j) below are not related to the previous questions. (h) (4 pts) Express the mask for the network 6.6.6.128/27 in dotted decimal notation. Answer: 255.255.255.224 deduct two points for: 6.6.6.224 (i) (4 pts) How many IP addresses are available for assignment to hosts on the network 6.6.6.128/27 ? Answer: 25 − 2 = 30 Deduct 2 pts if student shows correct formula but uses wrong number of bits in host-ID (j) (4 pts) What is the broadcast address for the network 6.6.6.128/27 ? Show your work! Answer: 6.6.6.159 Use judgment on grading. Give 2 points partial credit if student shows the right thought process but makes a math error. Turn in your equation sheet with your exam! Page 9 of 9