|20-CS-5156||Security Vulnerability Assessment||Spring 2020|
Stack Smash Escape to Shell and Data Leakage vulnerability
In Lab3, you will be given a piece of code that contains a memory corruption vulnerability. In particular, the program is a 32-bit program that accepts an argument on the command-line that tells it a log file name to display to the user.
The code is present in the C file here: lab3ex.c [download link]
The program was designed so that it would display a named log file from "/var/log/" using the "tail" program. A weak attempt was made to minimize potential data leakage. The program is intended to be installed as a setuid "root"-owned binary in /sbin/ on an older unix system. This would enable it to display contents of log files only readable by root.
However, you do not need to install it this way on your system for the purpose of this exercise, as varying security measures employed in today's Linux distributions make the behavior of executing a shell from a setuid-binary quite difficult. For the sake of argument, you are tasked with assuming that calling system() from inside a setuid-root binary on a target sysetm retains root identity, and you are working on crafting a POC exploit for this software tool in your environment.
You must identify and provide a POC example of the following two vulnerabilities from this program:
You will want to disable Virtual Address Space Randomization in Linux, to make it easier to POC:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
You will also want to compile the program as a 32-bit binary without stack-protector, with debug symbols:
gcc -m32 -g -fno-stack-protector -o lab3ex lab3ex.c
You may want to use GDB.
gdb --args ./lab3ex argument1 [argument2 argument3 etc...]
You'll be required to provide the following
The report should include the following information: