Week 1 Content:

1. Introduction to Set-UID
2. Why we need privilege program
3. What may go wrong
4. Attacks via environment variables
5. Attacks via explicit User inputs
6. Capability leaking
7. Security Analysis and Summery
Introduction to Set-UID
- What is Set-UID
- How Set-UID works
Why we need privilege programs
- User privilege
- Admin privilege
- How user do some tasks required admin privilege
- Example with program passwd command:
o Change passwd file which required privilege
o How passwd program use privilege

How Set-UID works

- User program process:
o uid: user ID
o gid: group ID
- Set program process:
o uid: real-user ID (who run the program)
o effective-uid (the owner of the program)
o set-uid: (usually the effective-uid)
o gid: group ID

- To delete a user
o $ sudo deluser <user name>
o $ sudo deluser –remove-home <username>

How we turn a program into Set-UID program

- To view permission of files within a directory, the command used is:

1 2 3 4
--- rw- r-- ---

The first group contains 3 bits – Set-UID:

o First bit: Set-UID
o Second bit: Set-GID
o Third bit: Set-OtherID.
For example: 100
o Set-UID = 1
o Other bits = 0
- How we change Set-UID
 o Using chmod 4755 (normally we use 755 only)
 4 = 100 in binary
What can go wrong
- If a program has admin privilege so how to avoid that program from doing bad stuff.
- Set-UID use instructions
o Only do certain things belong to owner user
o Cannot do other things with root privilege

- Example: copy /bin/cat to ./mycat

$ cp /bin/cat ./mycat
$ ls -l ./mycat
- To change the owner of the file to root
$ sudo chmod root ./mycat
The file has root privileges but still owned by user, so has limited privileges compared
to admin privileges.
- To change the Set-UID
$ sudo chmod 4755 ./mycat
The mycat program now becomes Set-UID program with root privileges.
- To sum up: to change a user program inot Set-UID program, we need:
o Step 1: change ownership
o Step 2: change the bit of Set-UID
- Lab Exercise
o User Alice takes over ownership of shell program of user Bob:
 Copy the program under Bob’s account
 $ cp /bin/sh /tmp/mysh
 Chang Set-UID bit using Bob’s account
 $chmod 4755 /tmp/mysh
 If Alice now run the program on her account:
 Uid: Alice
 Effective-id: Bob
-
What can go wrong
- How we prevent Set-UID program doing some bad stuff.
o A program contains a set of instructions
o Each instruction is hard to be secured/properly written by programmers.
o If one of instructions can go wrong/mis-behave, then something wrong can
happen.
Attacks via Environment Variables:
- Attack via environment variables
o What are environment variables:
 a set of dynamic named values, stored within the system
 used by applications launched in shells or subshells
 allow to customize how the system works and the behaviour of the
applications on the system.
o Environment variables inherited from parent process.
 Example of shell process contains
 user’s environment variables
  also new variables

If user run the shell command, it creates new child process with
 Effective-uid = owner-uid
 Inherited all new variables
o Example of cal shell command to read the calendar.
 The job is to print the calendar with C program
 The system(“cal”) line:
 Instruct the shell to execute “cal” command by:
o Using /bin/sh shell program
o Run “cal” command
 What would go wrong here:
o PATH variables: where to look for program “cal” with
variables specify some folders.
 What if we use absolute path so that program does not need
PATH variables?

- #include <stdlib.sh>
- int main()
- {
- system("cal");
- }

o How to exploit
 IFS attack
Attacks via Dynamic-link library
- A dynamic-link library:
o Self-content: static
o Dynamic linking: advantage are
 to not to include it to all over your program.
 When libraries updated
- Example with libc library
o Program hello.c in c:
- /* hello.c */
- #include <stdlib.sh>
- int main()
- {
- printf("hell everyone");
- return 0;
- }
o Compile the file:
 Static: gcc -static -o hello_static hello.c
 Dynamic: gcc -o hell_dynmic hello.c
 $ ls -l: the static cost a lot of space
- How attacks can arise:
o Compile a suspisus-program into a dynamic-link library
o Attackers can execute some content from user’s calling dynamic library
Attacks via input
- Vulnerable programs
 o Does not sanitise input from users
- Mixing code and data
o Trusted code
o Untrusted data
o When mixing trusted code and untrusted data, program creates a channel so
that user’s data can behave like trusted code.
Capability Leaking

Questions of week 2
1. How a user runs its own shell program on behalf of another admin user?
2. Explain how IFS attacks works?
3. Explain how OS Set-UID use mechanism to remove some environment variable when
creating child process in “cp” command.
4. Explain an example of vulnerable shell command to get into root-privilege shell as
bellow:
$ catall “aa;/bin/sh” (catall is Set-UID program)
5. What is a secure way to invoke external programs to prevent “mixing code and data”
vulnerability?

References: