Skip to main content

Practice..Practice..Practice: Linux exploit SmashTheTux Writeup vulnub part 2 race condition in linux ᕦ(ò_óˇ)ᕤ (day 85)


In the previous blog about SmashTheTux we are talking about how we can leverage simple buffer overflow and format string attack to gain control of a program.

This time we will take a look at one of the most interesting attacks in the modern OS environment

"Race condition"

I heard about this attack when I'm attending a lecture of operating system security at that time I understand the underlying principle of the attack but not really much on how to do attack and this time I have a chance to do the implementation of this attack

What is the race condition?

According to OWASP 10, the race condition is a vulnerability that produces an unexpected result when the timing of actions is impacted or affected by other actions.

Simple enough this attack is based on the length of the timing of the program execution and mostly happens in a multithreaded application where all of the execution is happening at the same time.

consider the following source code taken from lightningsecurity blog:

balance = queryUserBalance()
if (balance <= amountToSend) {
                 send_money()
} else {
                 error("Not enough money :(")
}


we can see that this code will be executed synchronously, it starts from checking the balance and if the amount that is going to send is not adequate it will show an error. This means that there is a time between when the program checks the balance and sends the money to the destination account.

Assume that we have $200 in the bank and our friend has $0 in his account and What happens if we send two requests at the same time that instructs the program to send $200 to our friend since there is a delay between checking the balance and sending the money this will make the program think that we have enough money. You would end up with -$400 and our friend will get $400 (sweet!)

Implementation:


so in this second challenge, we are provided with the following source code, this tells us that the program only read a program that belongs to "tux" user using stat function by taking the UID & GID value of the file


if the value of UID & GID is 1000 which belongs to the tux user, it will print what inside the file like the above figure.

before we go further the author of the machine mention that they forgot to set up this program as SUID file and demand us to do it by ourselves

~# sudo chown root:root pwnme
~# sudo chmod u+s pwnme

our objective here is to make the program read a root file which is the ".readthis" file in the current directory.


but how can we do this since the check is hardcoded?

according to this post, we can circumvent this check using symlink to execute race condition attack to the binary.

by using symlink in our exploit we actually introduce a delay to the program execution and if we can simultaneously execute the exploit it can make the program under race condition.

in simple terms, we can treat symlink as a shortcut to another file by putting a pointer on it. Think this a shortcut icon in windows OS

we can put a symbolic link to the file by using "ln" utility in linux.

so our exploit would be like this:

#!/bin/sh
touch myfile
while true; do
  ln -sf ./myfile a &
  ./pwnme a &
  ln -sf .readthis a &
done


this will create a lot of noise in your machine but surprise surprise it actually does the job.

"It aint stupid if it works"

 

what we do here is switching the symlink between an ordinary file that was created by tux user and .readthis file that belongs to root in the background (in linux "&" means we execute this command in foreground process) at the same time.

because there is a little bit delay on the execution due to the symlink we can achieve the following situation:

when the stat function is called to check the symlink file that pointing to myfile that is owned by tux user (UID 1000 & GID 1000) by the time the file is open later, the script already change the symlink file pointing to the .readthis file which is owned by the root.

pretty cool eh! :)

we can leverage this script to open another interesting file such as /etc/shadow *wink

 



That's all folks I hope you enjoy this post and see you again at the next post

references:

https://g0blin.co.uk/smashthetux-vulnhub-writeup/
https://www.win.tue.nl/~aeb/linux/hh/hh-9.html

Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »