887
Set-UID實驗
//csdn博客目前暫時不再更新了,有興趣請訪問我的技術博客-曉的博客:zhangxiaolong.org
寫這個blog主要是對自己學習的內容進行一個總結和記錄,希望對學習這些知識的同道之人有所幫助,第一次寫博文,經驗有所不足,我會慢慢練習。
實驗操作我是參照了一位比較厲害的師兄,他的set_uid blog:https://blog.sina.com.cn/s/blog_70dd16910100pz8k.html。希望對大家有所幫助。
這個實驗是信息安全實驗的第一個實驗,共有7個task,每一個task都有截圖作為步驟。
1. Figure out why "passwd", "chsh", "su", and "sudo" commands need to be Set-UIDprograms. What will happen if they are not? If you are not familiar with these programs, you should first learn what they can do by reading their manuals. Please copy these commands to your owndirectory; the copies will not be Set-UID programs. Run the copied programs, and observe whathappens.
實驗截圖如下:
圖 1
圖 2
由圖1,圖2所示:拷貝到/home/seed下的passwd程序,沒有了root權限,這樣就沒有了修改密碼的權限。同樣chsh su等等同樣的道理。
2. Run Set-UID shell programs in Linux, and describe and explain your observations.
(a) Login as root, copy /bin/zsh to /tmp, and make it a set-root-uid program with permission4755. Then login as a normal user, and run /tmp/zsh. Will you get root privilege? Please describe your observation. If you cannot find /bin/zsh in your operating system, please use the following command to install it:_ Note: in our pre-built Ubuntu VM image, zsh is already installed.
su
Password: (enter root password)
yum install zsh
For Ubuntu
$ su
Password: (enter root password)
apt-get install zsh
圖 3
由圖3示,可以獲得root權限
(b) Instead of copying /bin/zsh, this time, copy /bin/bash to /tmp, make it a set-root-uidprogram. Run /tmp/bash as a normal user. will you get root privilege? Please describe andexplain your observation.
圖 4
由圖4示獲得不了root權限,,從實驗中可以看出/bin/bash有某種內在的保護機製可以阻止Set-UID機製的濫用。
3. (Setup for the rest of the tasks) As you can find out from the previous task, /bin/bash has certainbuilt-in protection that prevent the abuse of the Set-UID mechanism. To see the life before such aprotection scheme was implemented, we are going to use a different shell program called /bin/zsh.In some Linux distributions (such as Fedora and Ubuntu), /bin/sh is actually a symbolic linkto /bin/bash. To use zsh, we need to link /bin/sh to /bin/zsh. The following instructionsdescribe how to change the default shell to zsh.
$ su
Password: (enter root password)
# cd /bin
# rm sh
# ln -s zsh sh
圖 5
4. The PATH environment variable.The system(const char *cmd) library function can be used to execute a command withina program. The way system(cmd) works is to invoke the /bin/sh program, and then let theshell program to execute cmd. Because of the shell program invoked, calling system() within aSet-UID program is extremely dangerous. This is because the actual behavior of the shell programcan be affected by environment variables, such as PATH; these environment variables are under user’scontrol. By changing these variables, malicious users can control the behavior of the Set-UIDprogram.The Set-UID program below is supposed to execute the /bin/ls command; however, the programmeronly uses the relative path for the ls command, rather than the absolute path:
int main()
{
system("ls");
return 0;
}
(a) Can you let this Set-UID program (owned by root) run your code instead of /bin/ls? If you can, is your code running with the root privilege? Describe and explain your observations.
圖 6
可以獲得,在root權限下:
(1)首先以root權限編譯如下程序,並將該程序設置為SUID。
int main()
{
system("ls");
return 0;
}
在普通用戶模式下:
(2)拷貝sh到/tmp,並命名為ls。
(3)修改環境變量為/tmp。
(4)運行root用戶編寫的SUID程序。
結果:用/usr/bin/id命令查詢用戶eid變為0。
(b) Now, change /bin/sh so it points back to /bin/bash, and repeat the above attack. Can youstill get the root privilege? Describe and explain your observations.
不能夠獲得root權限,因為bash存在某種內部的安全機製。
5. The difference between system() and execve(). Before you work on this task,please make sure that /bin/sh is pointed to /bin/zsh.Background: Bob works for an auditing agency, and he needs to investigate a company for a suspectedfraud. For the investigation purpose, Bob needs to be able to read all the files in the company’sUnix system; on the other hand, to protect the integrity of the system, Bob should not be able tomodify any file. To achieve this goal, Vince, the superuser of the system, wrote a special set-root-uidprogram (see below), and then gave the executable permission to Bob. This program requires Bob totype a file name at the command line, and then it will run /bin/cat to display the specified file.Since the program is running as a root, it can display any file Bob specifies. However, since the programhas no write operations, Vince is very sure that Bob cannot use this special program to modify any file.
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
char *v[3];
if(argc < 2) {
printf("Please type a file name.\n");
return 1;
}
v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = 0;
/* Set q = 0 for Question a, and q = 1 for Question b */
int q = 0;
if (q == 0){
char *command = malloc(strlen(v[0]) + strlen(v[1]) + 2);
sprintf(command, "%s %s", v[0], v[1]);
system(command);
}
else execve(v[0], v, 0);
return 0 ;
}
(a) Set q = 0 in the program. This way, the program will use system() to invoke the command.Is this program safe? If you were Bob, can you compromise the integrity of the system? Fo rexample, can you remove any file that is not writable to you? (Hint: remember that system()actually invokes /bin/sh, and then runs the command within the shell environment. We havetried the environment variable in the previous task; here let us try a different attack. Please pay attention to the special characters used in a normal shell environment).
這個命令不安全,Bob可能會出去好奇或者個人利益驅使會閱讀或者修改隻有root用戶才可以運行的一些文件,如圖所示。
圖 7
(b) Set q = 1 in the program. This way, the program will use execve() to invoke the command.Do your attacks in task (a) still work? Please describe and explain your observations.
不會有效,在(a)中之所以有效,是具有root權限的system在執行了cat file文件後,還會接著執行mv file file_new命令。而當令q=1, execve()函數會把file; mv file file_new 看成是一個文件名,係統會提示不存在這個文件。示意圖如下:
圖 8
6. The LD PRELOAD environment variable.
To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environmentvariable, the runtime linker (ld.so) will ignore this environment variable if the program is aSet-UID root program, except for some conditions. We will figure out what these conditions are inthis task.
(a) Let us build a dynamic link library. Create the following program, and name it mylib.c. Itbasically overrides the sleep() function in libc:
#include <stdio.h>
void sleep (int s)
{
printf("I am not sleeping!\n");
}
(b) We can compile the above program using the following commands (in the -W1 argument, thethird character is one, not `; in the -lc argment, the second character is `):
% gcc -fPIC -g -c mylib.c
% gcc -shared -W1,-soname,libmylib.so.1 \
-o libmylib.so.1.0.1 mylib.o –lc
(c) Now, set the LD PRELOAD environment variable:% export LD_PRELOAD=./libmylib.so.1.0.1
(d) Finally, compile the following program myprog (put this program in the same directory as libmylib.so.1.0.1):
/* myprog.c */
int main()
{
sleep(1);
return 0;
}
Please run myprog under the following conditions, and observe what happens. Based on your observations,tell us when the runtime linker will ignore the LD PRELOAD environment variable, andexplain why.
_ Make myprog a regular program, and run it as a normal user.
在這種情況下,忽略LD_PRELOAD環境變量,不重載sleep函數,使用係統自帶的sleep函數。
圖 9
_ Make myprog a Set-UID root program, and run it as a normal user.
在這種情況下,使用LD_PRELOAD環境變量,使用重載的sleep函數。
圖 10
_ Make myprog a Set-UID root program, and run it in the root account.
在這種情況下,忽略LD_PRELOAD環境變量。
圖 11
圖 12
圖 13
_ Make myprog a Set-UID user1 program (i.e., the owner is user1, which is another user account),and run it as a different user (not-root user).
7. Relinquishing privileges and cleanup.
To be more secure, Set-UID programs usually call setuid() system call to permanently relinquishtheir root privileges. However, sometimes, this is not enough. Compile the following program,and make the program a set-root-uid program. Run it in a normal user account, and describe what youhave observed. Will the file /etc/zzz be modified? Please explain your observation.
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
void main()
{ int fd;
/* Assume that /etc/zzz is an important system file,
and it is owned by root with permission 0644 */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
/* Simulate the tasks conducted by the program */
sleep(1);
/* After the task, the root privileges are no longer needed,
it’s time to relinquish the root privileges permanently. */
setuid(getuid()); /* getuid() returns the real uid */
if (fork()) { /* In the parent process */
close (fd);
exit(0);
} else { /* in the child process */
/* Now, assume that the child process is compromised, malicious
attackers have injected the following statements
into this process */
write (fd, "Malicious Data", 14);
close (fd);
}
}
圖 14
圖 15
圖 16
最後更新:2017-04-02 06:51:59