Security Exercise 10
Part I. Initial Conditions
To set up for this lab, carefully perform the following operations. Check off each step as you complete it. Let your instructor or lab
tech know if you encounter any problems.
1.
Navigate to your work directory by entering
cd work
In Lab 9 you used the program note2.c . Make sure that the program note2.c and its compiled machine code version,
note2.exe, are both still in your work directory by entering:
ls
You likely have additional files in your work directory—that's fine!
2.
Recall that the program named note2.c allowed all your Company mates to send you notes. The program has made you
famous, and the root user would like to purchase it from you. He will pay you 25,000 Iranian rials for the program. 25,000
is a big number, so of course you accept. Transfer ownership of the program note2.c to the root user by entering:
sudo
chown
root:root
./note2.exe
Verify that you have successfully transferred ownership of the file note2.exe to the root user by entering
ls
3.
–l
note2.exe
Now, the root user wants anyone to be able to execute the program note2.exe as though they were the root user, so
that anyone can leave notes in the file /tmp/notes . To give everyone the ability to write to the file /tmp/notes in a
very carefully controlled manner (only via the user of the program note2.exe) we must set the setuid permission for the
file note2.exe. To do this, enter:
sudo chmod u+s note2.exe
Verify that the setuid permission is enabled by entering
ls
4.
–l
note2.exe
In class today we discussed the program bettersearchnote.c . This program has been written for you and placed in
the ec310code directory. Copy this file to the work directory by carefully entering the following at the home directory
prompt:
1
midshipman@EC310:~ $
cp
ec310code/bettersearchnote.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have bettersearchnote.c in your work directory by changing to the work
directory:
cd work
and then listing the files in the work directory:
ls
5.
Compile the program bettersearchnote.c as bettersearchnote.exe by entering:
gcc –o
bettersearchnote.exe
bettersearchnote.c
Make sure you now have bettersearchnote.exe in your work directory (enter ls).
6.
Transfer ownership of bettersearchnote.exe to the root user by entering
sudo
chown
root:root
./bettersearchnote.exe
and set the setuid permission on this program by entering
sudo chmod u+s bettersearchnote.exe
Verify that root owns the program and that the setuid permission is enabled by entering
ls
–l
bettersearchnote.exe
After all of these steps are completed, proceed to Part II.
2
Part II. Adding Some Notes
Let's add some notes to the file /tmp/notes.
First, let's start fresh by removing any old version of tmp/notes that might exist. Enter
rm
/tmp/notes
If you get a message saying "No such file or directory", that's okay.
Now, let's say that the root user wants to add a note saying: "Notes for today:". To accomplish this, enter
sudo su root
./note2.exe "Notes for today:"
exit
Now, let's have joe enter the note "Parades stink". To accomplish this, enter:
sudo su joe
./note2.exe
exit
"Parades stink"
Now, let's have mia enter the note "What is for lunch?" To accomplish this, enter:
sudo su mia
./note2.exe
exit
"What is for lunch?"
Finally, let's have joe enter the note "Musters stink". To accomplish this, enter:
sudo su joe
./note2.exe
exit
"Musters stink"
Now, go back to your work directory (you may be there already) and look at the file /tmp/notes by entering
cat /tmp/notes
It didn't let you see the notes!
Question 1.
Why did the command cat
/tmp/notes not let you see the notes?
Question 2.
What command would you enter to view the file /tmp/notes ?
Enter your answer for Question 2 and show your instructor the contents of the file /tmp/notes. Then move on to Part III.
3
Part III. Using the Program bettersearchnote.exe
Recall that the program bettersearchnote.exe allows the user to view the notes that he has entered (and only the notes that
he has entered).
Suppose the user mia wants to see the notes that she has left. Switch to user mia:
sudo su mia
and run the program as mia:
./bettersearchnote.exe
Question 3.
Did the program work as expected?
Return to the user midshipman by entering
exit
Now recall that the program bettersearchnote.exe allows the user to enter a search string as a command line argument, and
the program will then only print out messages left by the user that contains the specified search string.
Switch to user joe:
sudo su joe
and run the program as joe:
./bettersearchnote.exe
Question 4.
What output did you obtain?
Now, run the program again, but giving a command line argument:
./bettersearchnote.exe
Question 5.
"Must"
What output did you obtain?
Return to the user midshipman by entering
exit
Switch to user root:
sudo su root
and run the program as root:
./bettersearchnote.exe
Question 6. What does root see when he runs the program?
Question 7. Why doesn't the root user see everyone's notes? He's root after all.
Return to the user midshipman by entering
exit
and proceed to Part IV.
4
Part IV. A Strange Occurrence
One of your friends has sent you a note:
"Here is a great program named exploit_notesearch.c . Try it out."
In the booksrc directory, there resides a file named exploit_notesearch.c.
Change to your home directory by entering
cd
From your home directory, copy this file by entering
midshipman@EC310:~ $
cp
booksrc/exploit_notesearch.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have exploit_notesearch.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have exploit_notesearch.c in your work directory STOP and ask your instructor or lab tech for assistance.
Otherwise, continue.
We have to make one change to this program. Open this program for editing using nano:
nano exploit_notesearch.c
and change the line that reads
strcpy(command, "./notesearch \'"); // start command buffer
to read
strcpy(command, "./bettersearchnote.exe \'"); // start command buffer
Note that this says bettersearchnote , not betternotesearch ! Add the .exe to the end!
Save the program (Control-o then Control-x)
Compile the program exploit_notesearch.c by entering
gcc exploit_notesearch.c
and execute the program by entering
./a.out
Question 8.
What shocking event just happened?
Question 9.
Enter whoami. What is the reply?
The programs used in this security exercise are adapted from programs presented in Hacking, The Art of Exploitation, No Starch
Press, 2008.
5
Security Exercise 10 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
6