Challenge 1: General Unix Security

The function system() provided by the standard C library (libc) takes a string argument that is passed as command string to a shell command language interpreter such as sh (or bash). The use of this function is generally considered dangerous because the shell is a complex application that uses many implicit transformation rules. In addition, its behavior is controlled by several environment variables. In order to make a safe call to system(), the input has to be rigorously sanitized and the environment has to be sane. Even then, problems in the program(s) invoked by the shell through system() can be abused to compromise the calling application.

Your first task is to exploit vulnerabilities in four programs that have their set-guid (i.e., set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[1-4]. The source for the programs can be obtained here (not necessarily listed in order):

• cat.c
• share.c
• file.c
• signal.c

An enabled set-guid bit means that whenever you execute one of these programs, your process gets the effective group-id of the group that owns the file. Consider a file called myProg with the following access permissions shown with ls -la.

      -rwxr-sr-x 1  boss inetsec 8192 Jan 1 2001 myProg
    

Whenever a user that belongs to the other group (i.e. not user boss and not belonging to group inetsec) executes this file, the process is executed with an effective group-id of inetsec and may access all resources according to the restrictions for group inetsec.

You have exploited a vulnerability in one of our four challenge programs successfully when you call /bin/grade with the effective group-id of the group that owns the vulnerable program (for our challenge, these are groups bsp[1-4]). In the example above, myProg would be considered to be exploited successfully when you are able to call (or force myProg to call) /bin/grade with an effective guid of inetsec. In that case, you receive a message stating that you have solved the assignment and get a code. This code has to be included in your submission to prove to us that your exploit was successful. Don't try to fake, cheat, or steal this code.

Your second task is to create a file named ididitohyeah in your home directory (i.e., ~inetsecXXX) that is larger than 14MB in size and that you own (i.e., the owner of the file is your user-id). Sounds easy, right? :-) Well, we have enabled quotas and you probably will see that this task may not be as easy as it sounds (use the quota command to see what is going on). Of course, your quota limit would allow a file of the required size, but something seems to have already allocated some chunk of your available space. Once you manage to create this large file in your home directory, the listing should show something like this:

    bandit:~> ls -l
    total 14676
    -rw-r--r-- 1 inetsec999 inetsec999 15000000 2007-10-16 22:53 ididitohyeah
    lrwxrwxrwx 1 inetsec999 inetsecstd        4 2007-10-03 16:24 mail -> Mail
    drwx------ 2 inetsec999 inetsecstd     4096 1998-03-10 19:28 Mail
    

Please create this file as specified above. Do not put it anywhere else, because the grading robot will not find it (i.e., do not put it in directories or subdirectories of your home directory). Also, do not forget to delete this file once you have successfuly solved the challenge (otherwise, you will keep getting quota messages and may not be able to create new files ;)).

To submit your challenge solution to us, you need to follow these steps:

1. Create a file called challenge1.txt anywhere under your account.
2. Write each code that you have received from /bin/grade for every program you exploited (i.e., prog[1-4]) on a single line in that file (make sure the ordering 1-4 is correct).
3. Create a file called ididitohyeah that you own and that is more than 14MB in size in your home directory (i.e., ~inetsecXXX/ididitohyeah)
4. In the directory where your challenge1.txt file is located, call /usr/local/bin/submit1
5. Read any error or success messages. Then, wait a couple of minutes and read your e-mails on bandit to view the results of the automatic grading program.

This is an individual project. The project is due on Tuesday, 19.04.2011, 23:59:59 PST.