Skip to main content

Practice..Practice..Practice: Linux exploit SmashTheTux Writeup vulnub part 2 race condition in linux ᕦ(ò_óˇ)ᕤ (day 85)


In the previous blog about SmashTheTux we are talking about how we can leverage simple buffer overflow and format string attack to gain control of a program.

This time we will take a look at one of the most interesting attacks in the modern OS environment

"Race condition"

I heard about this attack when I'm attending a lecture of operating system security at that time I understand the underlying principle of the attack but not really much on how to do attack and this time I have a chance to do the implementation of this attack

What is the race condition?

According to OWASP 10, the race condition is a vulnerability that produces an unexpected result when the timing of actions is impacted or affected by other actions.

Simple enough this attack is based on the length of the timing of the program execution and mostly happens in a multithreaded application where all of the execution is happening at the same time.

consider the following source code taken from lightningsecurity blog:

balance = queryUserBalance()
if (balance <= amountToSend) {
                 send_money()
} else {
                 error("Not enough money :(")
}


we can see that this code will be executed synchronously, it starts from checking the balance and if the amount that is going to send is not adequate it will show an error. This means that there is a time between when the program checks the balance and sends the money to the destination account.

Assume that we have $200 in the bank and our friend has $0 in his account and What happens if we send two requests at the same time that instructs the program to send $200 to our friend since there is a delay between checking the balance and sending the money this will make the program think that we have enough money. You would end up with -$400 and our friend will get $400 (sweet!)

Implementation:


so in this second challenge, we are provided with the following source code, this tells us that the program only read a program that belongs to "tux" user using stat function by taking the UID & GID value of the file


if the value of UID & GID is 1000 which belongs to the tux user, it will print what inside the file like the above figure.

before we go further the author of the machine mention that they forgot to set up this program as SUID file and demand us to do it by ourselves

~# sudo chown root:root pwnme
~# sudo chmod u+s pwnme

our objective here is to make the program read a root file which is the ".readthis" file in the current directory.


but how can we do this since the check is hardcoded?

according to this post, we can circumvent this check using symlink to execute race condition attack to the binary.

by using symlink in our exploit we actually introduce a delay to the program execution and if we can simultaneously execute the exploit it can make the program under race condition.

in simple terms, we can treat symlink as a shortcut to another file by putting a pointer on it. Think this a shortcut icon in windows OS

we can put a symbolic link to the file by using "ln" utility in linux.

so our exploit would be like this:

#!/bin/sh
touch myfile
while true; do
  ln -sf ./myfile a &
  ./pwnme a &
  ln -sf .readthis a &
done


this will create a lot of noise in your machine but surprise surprise it actually does the job.

"It aint stupid if it works"

 

what we do here is switching the symlink between an ordinary file that was created by tux user and .readthis file that belongs to root in the background (in linux "&" means we execute this command in foreground process) at the same time.

because there is a little bit delay on the execution due to the symlink we can achieve the following situation:

when the stat function is called to check the symlink file that pointing to myfile that is owned by tux user (UID 1000 & GID 1000) by the time the file is open later, the script already change the symlink file pointing to the .readthis file which is owned by the root.

pretty cool eh! :)

we can leverage this script to open another interesting file such as /etc/shadow *wink

 



That's all folks I hope you enjoy this post and see you again at the next post

references:

https://g0blin.co.uk/smashthetux-vulnhub-writeup/
https://www.win.tue.nl/~aeb/linux/hh/hh-9.html

Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Bypassing stack canaries protection :') (day 51)

In my previous blogs, I show you guys how to bypass some common protection usually used in Linux binary such as NX and ASLR but this time we are going to take it to the next level we are going to talk about protection employ in the modern Linux OS which is "The Canaries" and how to bypass it. note: this post was not originally mined it was inspired by the following resources https://ctf-wiki.github.io/ctf-wiki/pwn/linux/mitigation/canary/ (Credit goes to the author) we are going to start this post about what is stack canaries and types of different implementation of it then move to the implementation about how to bypass this protection. We are going to focus on "leak canaries" technique What is stack canary: In layman terms, canaries are just another protection mechanism to prevent stack overflow implemented by appending 4/8 bytes value (depend on the architecture) into the stack when a function is entered. When the function is at the end of its exec...
Post a Comment
Read More »