escalation666 Posted March 4, 2008 Report Posted March 4, 2008 Here is a simple proggy, and your mission is to find out the bug, and how someone could exploit it.proggy.c#include <stdio.h>#include <fcntl.h>int main(int argc, char* argv[]){FILE *fd;void writing_pass_to_file(){fd=fopen("/tmp/test","w");fprintf(fd,argv[1]);fclose(fd);}writing_pass_to_file();sleep(5);void some_crypting_here(){fd=fopen("/tmp/test","r");printf("Doing some crypting now..\n");sleep(5);fclose(fd);printf("Crypting done.\n");}some_crypting_here();system("rm /tmp/test");return 0;}About the proggy, let's say that in real world would be a piece of code responsable for some user/password management...It takes the password from command line and does some stuff with it like crypting...What happens when the program is run in superuser mode?(In Linux)I will post the simple solution later, when it will be enough responses. Quote
moubik Posted March 4, 2008 Report Posted March 4, 2008 ma asteptam sa vad buffer overflow dar nu am vazut deloc.m-am gandit mai departe la line splitting. adica sa introduci parametrul argv[1] cu endline-uri.de exemplu s-ar putea exploata cu un scriptuletz de genul:#!/bin/sh./proggy.out password"admin:newpasssudo:rox"totusi nu vad cum ar fi folosibil pe codul prezentat... asa ca ma gandesc la alta metoda ..ma gandeam la intrebarea pe care ai pus-o "ce se intampla daca programul e rulat cu root ?" si banuiesc ca acesta ar fi un indiciu, right ? Quote
escalation666 Posted March 4, 2008 Author Report Posted March 4, 2008 hmm...Sa zicem ca inputul este de incredere. Iar cat despre superuser mode, da, este un hint. Alt hint ar fi race conditions. Quote
Vhaerun Posted March 4, 2008 Report Posted March 4, 2008 Nu sunt sigur , dar nu s-ar putea exploata cu soft linkuri ? ( comanda ln ) Quote
escalation666 Posted March 4, 2008 Author Report Posted March 4, 2008 Nu sunt sigur , dar nu s-ar putea exploata cu soft linkuri ? ( comanda ln )Hehe...nici nu stiu ce sa raspund...as fi vrut sa mai citesc si alte pareri.Deja ai raspuns corect in proportie de 95%...si nu ar fi chiar un soft link...mai degraba un forced link :wink: Quote
moubik Posted March 5, 2008 Report Posted March 5, 2008 dada, pai are idee bunaln catre passwd iti faci cont de adminchiar mai trebuia precizat? bv vhaerun Quote
escalation666 Posted March 7, 2008 Author Report Posted March 7, 2008 si solutia banala aici: http://networkintruder.blogspot.com/2008/03/where-is-bug.html Quote
