escalation666 Posted March 4, 2008 Report Share Posted March 4, 2008 Here is a simple proggy, and your mission is to find out the bug, and how someone could exploit it.proggy.c#include <stdio.h>#include <fcntl.h>int main(int argc, char* argv[]){FILE *fd;void writing_pass_to_file(){fd=fopen("/tmp/test","w");fprintf(fd,argv[1]);fclose(fd);}writing_pass_to_file();sleep(5);void some_crypting_here(){fd=fopen("/tmp/test","r");printf("Doing some crypting now..\n");sleep(5);fclose(fd);printf("Crypting done.\n");}some_crypting_here();system("rm /tmp/test");return 0;}About the proggy, let's say that in real world would be a piece of code responsable for some user/password management...It takes the password from command line and does some stuff with it like crypting...What happens when the program is run in superuser mode?(In Linux)I will post the simple solution later, when it will be enough responses. Quote Link to comment Share on other sites More sharing options...
moubik Posted March 4, 2008 Report Share Posted March 4, 2008 ma asteptam sa vad buffer overflow dar nu am vazut deloc.m-am gandit mai departe la line splitting. adica sa introduci parametrul argv[1] cu endline-uri.de exemplu s-ar putea exploata cu un scriptuletz de genul:#!/bin/sh./proggy.out password"admin:newpasssudo:rox"totusi nu vad cum ar fi folosibil pe codul prezentat... asa ca ma gandesc la alta metoda ..ma gandeam la intrebarea pe care ai pus-o "ce se intampla daca programul e rulat cu root ?" si banuiesc ca acesta ar fi un indiciu, right ? Quote Link to comment Share on other sites More sharing options...
escalation666 Posted March 4, 2008 Author Report Share Posted March 4, 2008 hmm...Sa zicem ca inputul este de incredere. Iar cat despre superuser mode, da, este un hint. Alt hint ar fi race conditions. Quote Link to comment Share on other sites More sharing options...
Vhaerun Posted March 4, 2008 Report Share Posted March 4, 2008 Nu sunt sigur , dar nu s-ar putea exploata cu soft linkuri ? ( comanda ln ) Quote Link to comment Share on other sites More sharing options...
escalation666 Posted March 4, 2008 Author Report Share Posted March 4, 2008 Nu sunt sigur , dar nu s-ar putea exploata cu soft linkuri ? ( comanda ln )Hehe...nici nu stiu ce sa raspund...as fi vrut sa mai citesc si alte pareri.Deja ai raspuns corect in proportie de 95%...si nu ar fi chiar un soft link...mai degraba un forced link :wink: Quote Link to comment Share on other sites More sharing options...
moubik Posted March 5, 2008 Report Share Posted March 5, 2008 dada, pai are idee bunaln catre passwd iti faci cont de adminchiar mai trebuia precizat? bv vhaerun Quote Link to comment Share on other sites More sharing options...
escalation666 Posted March 7, 2008 Author Report Share Posted March 7, 2008 si solutia banala aici: http://networkintruder.blogspot.com/2008/03/where-is-bug.html Quote Link to comment Share on other sites More sharing options...
Vhaerun Posted March 7, 2008 Report Share Posted March 7, 2008 Yeee ! That's my name Quote Link to comment Share on other sites More sharing options...
