Week 5 Lab – Software Security In this lab, you will: A. Practice basic concepts in software security B. Explore Set-UID program vulnerabilities Tasks A and Bare assessed (3%) and you will need to submit a report in your PebblePad Lab Journal. A. Practice Basic Concepts (1.5%) Answer the following questions: 1. Review some of the recent vulnerability announcements from NIST (https://nvd.nist.gov/vuln/search) . Identify a few vulnerabilities that occur as a result of a buffer overflow attack. Classify the type of buffer overflow used in each, and decide if it is one of the forms we discussed in the lecture or another variant. 2. Describe the vulnerabilities in the following PHP code (Figure 11.3 of the textbook) and possible ways of defending the attack. 3. Describe how software quality/reliability differs from software security. How does software security testing differ from ordinary software functionality testing? B. Explore Set-UID Program Vulnerabilities (1.5%) Step 0. If you are completing the task at home and using Linux system other than Ubuntu 12.04, you may want to follow the following instructions to set up your lab environment. http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Set-UID/Set- UID.pdf Step 1. Read the following background information: Set-UID is an important security mechanism in Unix operating systems. When a Set-UID program is run, it assumes the owner’s privileges. For example, if the program’s owner is root, then when anyone runs this program, the program gains the root’s privileges
Transcript
Week 5 Lab – Software SecurityIn this lab, you will:
A. Practice basic concepts in software security B. Explore Set-UID program vulnerabilities
Tasks A and Bare assessed (3%) and you will need to submit a report in your PebblePad Lab Journal.
A. Practice Basic Concepts (1.5%)Answer the following questions:
1. Review some of the recent vulnerability announcements from NIST (https://nvd.nist.gov/vuln/search). Identify a few vulnerabilities that occur as a result of a buffer overflow attack. Classify the type of buffer overflow used in each, and decide if it is one of the forms we discussed in the lecture or another variant.
2. Describe the vulnerabilities in the following PHP code (Figure 11.3 of the textbook) and possible ways of defending the attack.
3. Describe how software quality/reliability differs from software security. How does software security testing differ from ordinary software functionality testing?
B. Explore Set-UID Program Vulnerabilities (1.5%)
Step 0. If you are completing the task at home and using Linux system other than Ubuntu 12.04, you may want to follow the following instructions to set up your lab environment.http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Set-UID/Set-UID.pdf
Step 1. Read the following background information: Set-UID is an important security mechanism in Unix operating systems. When a Set-UID program is run, it assumes the owner’s privileges. For example, if the program’s owner is root, then when anyone runs this program, the program gains the root’s privileges during its execution. Set-UID allows us to do many interesting things, but unfortunately, it is also the culprit of many bad things. Therefore, the objective of this lab is two-fold: (1) Appreciate its good side: understand why Set-UID is needed and how it is implemented. (2) Be aware of its bad side: understand its potential security problems.
We have learnt in previous lab that ping and passwd are Set-UID programs. On the other hand, Linux shell programs such as bash and zsh are non-Set-UID programs. For more information about shell programs, refer to http://linuxcommand.org/lc3_lts0010.php.
Step 2. Think for a second why bash and zsh commands are non-Set-UID programs. Is there any potential security issue if they are?
Step 3. Copy /bin/zsh to /tmp, change its ownership to root and make it a Set-UID program. (If you cannot remember these commands cp, chown and chmod, refer to the instructions for Labs 2 - 4). Then, run /tmp/zsh. Will you get root privilege?
If you see the above prompt, you have got root privilege via running /tmp/zsh. How can you check that you indeed have root privileges? One way to check is to run some privileged command like chown. Another way is to create a new file and see its ownership. Please describe how you verify that you have root privileges.
Use exit to return to the previous shell with normal user privilege.
Step 4. Instead of copying /bin/zsh, this time, copy /bin/bash to /tmp, change its ownership to root and make it a Set-UID program as before. Then, run /tmp/bash as a normal user. Will you get root privilege? Please describe your observation.(If you are interested in why, check out https://www.vidarholen.net/contents/blog/?p=30)
Steps 5-10 are optional, but they are interesting and not difficult to follow.
Step 5. As you can find out from the previous task, /bin/bash has certain built-in protection that prevent the abuse of the Set-UID mechanism. To see the life before such a protection scheme was implemented, we are going to use /bin/zsh.
In some Linux distributions (such as Ubuntu), /bin/sh is actually a symbolic link to /bin/bash. To use zsh, we need to link /bin/sh to /bin/zsh. Follow the following instructions to change the default shell to zsh:cd /binsudo rm shsudo ln -s zsh sh
Step 6. The system() library function can be used to execute a command cmd within a program. The way system(cmd) works is to invoke the /bin/sh program (which is not linked to /bin/zsh), and then let the shell program to execute cmd. Because of the shell program invoked, calling system() within aSet-UID program is extremely dangerous. This is because the actual behaviour of the shell programcan be affected by environment variables, such as PATH; these environment variables are under user’s control. By changing these variables, malicious users can control the behaviour of the Set-UIDprogram.
In bash, you can change the PATH environment variable in the following way (this exampleadds the directory /home/seed to the beginning of the PATH environment variable):export PATH=/home/seed:$PATH
Step 7. The following vulnerable C program is supposed to execute the /bin/ls command; however, the programmer only uses the relative path for the ls command, rather than the absolute path:
Go to your home directory.Create the above C program using cat > vul_prog.cThen, type in the code above, hit Enter and use Ctrl+C to exit editing. After that, compile the C program using sudo gcc –o vul_prog vul_prog.cFinally, change the executable program vul_prog to a Set-UID program. You can use long listing to verify that it is a Set-UID program owned by root.
Step 8. Can you let this vulnerable program run your code instead of /bin/ls? You can create your C program using cat > exploit.cThen, type in the code below (without line breaks in printf()), hit Enter and use Ctrl+C to exit editing.
After that, compile the C program using gcc –o ls exploit.cNote that it is neither owned by root nor a Set-UID program, and we name it ls to replace \bin\ls during the execution of the vulnerable program (since we changed the PATH environment variable).
Step 9. Now, let’s execute the vulnerable program using ./vul_progIs your code running with the root privilege? Describe and explain your observations.
Step 10. Finally, change /bin/sh so it points back to /bin/bash, and repeat the above attack. Can youstill get the root privilege? Describe and explain your observations.
#include <stdio.h>
int main(){ printf("\nThis is my exploit program\n"); printf("\nMy real uid is: %d\nMy effective uid is: %d\n", getuid(), geteuid()); return 0;}
