Challenge 1: General Unix SecurityIntroductionThe function system() provided by the standard C library (libc) takes a string argument that is passed as command string to a shell command language interpreter such as sh (or bash). The use of this function is generally considered dangerous because the shell is a complex application that uses many implicit transformation rules. In addition, its behavior is controlled by several environment variables. In order to make a safe call to system(), the input has to be rigorously sanitized and the environment has to be sane. Even then, problems in the program(s) invoked by the shell through system() can be abused to compromise the calling application. Detailed DescriptionYour first task is to exploit vulnerabilities in four programs that have their set-guid (i.e., set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[1-4]. The source for the programs can be obtained here (not necessarily listed in order): An enabled set-guid bit means that whenever you execute one of these programs, your process gets the effective group-id of the group that owns the file. Consider a file called myProg with the following access permissions shown with ls -la. -rwxr-sr-x 1 boss inetsec 8192 Jan 1 2001 myProg Whenever a user that belongs to the other group (i.e. not user boss and not belonging to group inetsec) executes this file, the process is executed with an effective group-id of inetsec and may access all resources according to the restrictions for group inetsec. You have exploited a vulnerability in one of our four challenge programs successfully when you call /bin/grade with the effective group-id of the group that owns the vulnerable program (for our challenge, these are groups bsp[1-4]). In the example above, myProg would be considered to be exploited successfully when you are able to call (or force myProg to call) /bin/grade with an effective guid of inetsec. In that case, you receive a message stating that you have solved the assignment and get a code. This code has to be included in your submission to prove to us that your exploit was successful. Don't try to fake, cheat, or steal this code. Your second task is to create a file named ididitohyeah in your home directory (i.e., ~inetsecXXX) that is larger than 14MB in size and that you own (i.e., the owner of the file is your user-id). Sounds easy, right? :-) Well, we have enabled quotas and you probably will see that this task may not be as easy as it sounds (use the quota command to see what is going on). Of course, your quota limit would allow a file of the required size, but something seems to have already allocated some chunk of your available space. Once you manage to create this large file in your home directory, the listing should show something like this: bandit:~> ls -l total 14676 -rw-r--r-- 1 inetsec999 inetsec999 15000000 2007-10-16 22:53 ididitohyeah lrwxrwxrwx 1 inetsec999 inetsecstd 4 2007-10-03 16:24 mail -> Mail drwx------ 2 inetsec999 inetsecstd 4096 1998-03-10 19:28 Mail Please create this file as specified above. Do not put it anywhere else, because the grading robot will not find it (i.e., do not put it in directories or subdirectories of your home directory). Also, do not forget to delete this file once you have successfuly solved the challenge (otherwise, you will keep getting quota messages and may not be able to create new files ;)). DeliverablesTo submit your challenge solution to us, you need to follow these steps:
Administrative Information and DeadlineThis is an individual project. The project is due on Tuesday, 19.04.2011, 23:59:59 PST. |