Practice..Practice..Practice: Linux exploit SmashTheTux Writeup vulnub part 2 race condition in linux ᕦ(ò_óˇ)ᕤ (day 85)
In the previous blog about SmashTheTux we are talking about how we can leverage simple buffer overflow and format string attack to gain control of a program.
This time we will take a look at one of the most interesting attacks in the modern OS environment
"Race condition"
I heard about this attack when I'm attending a lecture of operating system security at that time I understand the underlying principle of the attack but not really much on how to do attack and this time I have a chance to do the implementation of this attack
What is the race condition?
According to OWASP 10, the race condition is a vulnerability that produces an unexpected result when the timing of actions is impacted or affected by other actions.Simple enough this attack is based on the length of the timing of the program execution and mostly happens in a multithreaded application where all of the execution is happening at the same time.
consider the following source code taken from lightningsecurity blog:
balance = queryUserBalance()
if (balance <= amountToSend) {
send_money()
} else {
error("Not enough money :(")
}
we can see that this code will be executed synchronously, it starts from checking the balance and if the amount that is going to send is not adequate it will show an error. This means that there is a time between when the program checks the balance and sends the money to the destination account.
Assume that we have $200 in the bank and our friend has $0 in his account and What happens if we send two requests at the same time that instructs the program to send $200 to our friend since there is a delay between checking the balance and sending the money this will make the program think that we have enough money. You would end up with -$400 and our friend will get $400 (sweet!)
Implementation:
so in this second challenge, we are provided with the following source code, this tells us that the program only read a program that belongs to "tux" user using stat function by taking the UID & GID value of the file
if the value of UID & GID is 1000 which belongs to the tux user, it will print what inside the file like the above figure.
before we go further the author of the machine mention that they forgot to set up this program as SUID file and demand us to do it by ourselves
~# sudo chown root:root pwnme
~# sudo chmod u+s pwnme
our objective here is to make the program read a root file which is the ".readthis" file in the current directory.
but how can we do this since the check is hardcoded?
according to this post, we can circumvent this check using symlink to execute race condition attack to the binary.
by using symlink in our exploit we actually introduce a delay to the program execution and if we can simultaneously execute the exploit it can make the program under race condition.
in simple terms, we can treat symlink as a shortcut to another file by putting a pointer on it. Think this a shortcut icon in windows OS
we can put a symbolic link to the file by using "ln" utility in linux.
so our exploit would be like this:
#!/bin/sh
touch myfile
while true; do
ln -sf ./myfile a &
./pwnme a &
ln -sf .readthis a &
done
this will create a lot of noise in your machine but surprise surprise it actually does the job.
"It aint stupid if it works"
what we do here is switching the symlink between an ordinary file that was created by tux user and .readthis file that belongs to root in the background (in linux "&" means we execute this command in foreground process) at the same time.
because there is a little bit delay on the execution due to the symlink we can achieve the following situation:
when the stat function is called to check the symlink file that pointing to myfile that is owned by tux user (UID 1000 & GID 1000) by the time the file is open later, the script already change the symlink file pointing to the .readthis file which is owned by the root.
pretty cool eh! :)
we can leverage this script to open another interesting file such as /etc/shadow *wink
That's all folks I hope you enjoy this post and see you again at the next post
references:
https://g0blin.co.uk/smashthetux-vulnhub-writeup/
https://www.win.tue.nl/~aeb/linux/hh/hh-9.html
Comments
Post a Comment