辅导案例-COMP2700 2019
COMP2700 2019 Semester 2 - ASSIGNMENT 1 1 COMP2700 2019 SEMESTER 2 - ASSIGNMENT 1 SUBMISSION DEADLINE: Sunday, September 29th, 2019 - 11:55pm AET. SUBMISSION PROCEDURE: See Wattle page for the course 1. OBJECTIVES: The main objective of this assignment is for the students to understand the security mechanisms in Unix-like operating systems and their interplay with software security, in particular: - to learn practical access control mechanisms in Unix operating system, such as files and folder permissions and SUID programs, and how application security is affected by them; - to learn how software vulnerabilities can be exploited to circumvent security mechanisms in both applications and operating systems. 2. PROBLEM DESCRIPTION: Note: an accompanying Q&A document is also provided to give further details not covered here. See the Wattle page for details. There are four problems in this assignment. To do this assignment, you will make use of an installation of Ubuntu Linux 18.04 (64 bit) in the Oracle VirtualBox virtual machine. The VirtualBox image of the Ubuntu installation is provided with this document and can be downloaded from the Wattle site for this course. The assessment of the solutions to the problems listed below will be entirely done inside this particular installation of Ubuntu. The Ubuntu installation for this assignment is similar to the Ubuntu image provided for the lab sessions. In particular, it has the following users: admin2700, alice, bob, charlie, dennis, eve and fong. User admin2700 has the administrative privilege over the system, i.e., it can escalate its privilege to the root user. SECRETS AND APPLICATION PASSWORDS In this assignment, we consider a scenario in which four users, alice, bob, charlie and admin2700, want to give access to certain ‘secrets’ to other users, but they want to control who can access the secrets and not relying solely on Linux file system permissions. So these secrets are stored in directories where only select users (alice, bob, charlie and admin2700) can access. Access to the secrets are controlled by using individual password files. These passwords are distinct from the account passwords of the Linux users, and we shall refer to them as application passwords. The secrets and the application passwords are located in /etc/comp2700 directory. There are four secrets that need to be protected; they are summarised in Table 1. The first column in the table shows the owner of the secret. The second column shows the application passwords needed to access the secrets given in the third column. COMP2700 2019 Semester 2 - ASSIGNMENT 1 2 Table 1. Locations of application passwords and secrets. Each password is stored in a file called ‘password’, and each secret is stored in a file called ‘secret’. Owner Application password location Secret file location alice /etc/comp2700/alice/password /etc/comp2700/alice/secret bob /etc/comp2700/bob/password /etc/comp2700/bob/secret charlie /etc/comp2700/charlie/password /etc/comp2700/charlie/secret admin2700 /etc/comp2700/admin2700/password /etc/comp2700/admin2700/secret The application passwords are strings of lower-case letters (‘a’ to ‘z’), of length between 1 to 14 characters. All the secrets have the form ‘flag{xx:xx:xx:xx:xx:xx:xx:xx}’, i.e., it is a sequence of 8 bytes presented in a hexadecimal notation, with colon ‘:’ separating the bytes, and the whole sequence is enclosed in ‘flag{ }’ tag. IMPORTANT NOTE: Appendix A provides the account passwords, the application passwords and the secrets for relevant users. All these passwords and secrets will be changed during the assessment of your solutions. So your solutions must not hardcode any of these passwords and secrets. SUID PROGRAMS The actual access control mechanisms for protecting the secrets are implemented using four SUID programs located in the Public directory in each user account. Each of these SUID programs allows a user to access a certain secret, when the right application password is provided. The source code of these programs is written in C and is located in the same directory as the SUID program. Some of these programs may call certain shell scripts in their execution. For your convenience, the source code of these programs and shell scripts are also included in Appendix B. All the C programs were compiled using the following command: gcc program.c -o program -fno-stack-protector -m32 where program.c and program refer to the source and the binary of the program, respectively. There are four SUID programs that a user can use to display a secret file. We give a brief description of each program below. You are required to read the source code (both C code and shell scripts) and to try the programs yourself to find out more about how each program works. In the following, we assume the user ‘dennis’ has been given the application passwords and is accessing the secrets in a normal way. All examples illustrated below assume the passwords and secrets given in Appendix A. We repeat again here that these passwords and secrets will be changed during the assessment. • alice-secret: This program is located in /home/alice/Public/ and is used to access alice’s secret, i.e., the file /etc/comp2700/alice/secret. It takes one argument, which is an application password. If the input application password matches alice’s application password (located in /etc/comp2700/alice/password), then alice’s secret will be displayed. The following screenshot shows an example of the output of a normal run of this program. COMP2700 2019 Semester 2 - ASSIGNMENT 1 3 This example shows a first attempt with a wrong password (‘iforgot’), which results in an error being logged in a log file /home/alice/Public/error.log. The second attempt succeeds with the proper application password for alice (‘aliceone’), with the secret displayed (‘flag{be:2c:1b:c3:e5:ef:22:cd}’). • bob-secret: This program is located in /home/bob/Public/ and is used to access bob’s secret, i.e., the file /etc/comp2700/bob/secret. It takes three arguments: a choice of action to perform (‘1’ to display the secret and ‘2’ to backup the secret), a user name and a password. If the first argument is 1, and the provided password matches bob’s application password (located in /etc/comp2700/bob/password), then bob’s secret will be displayed. If the first argument is 2, then the program copies bob’s secret a backup folder. The following screenshot shows an example of the output of a normal run of this program. • charlie-secret: This program is located in /home/charlie/Public/ and is used to access charlie’s secret, i.e., the file /etc/comp2700/charlie/secret. It takes one argument, which is an application password. If the application password matches charlie’s application password (located in /etc/comp2700/charlie/password), then charlie’s secret will be displayed, otherwise, this failed attempt will be logged in a log file. The following screenshot shows an example of the output of a normal run of this program. • admin-secret: This program is located in /home/admin2700/Public and is used to access admin2700’s secret, i.e., the file /etc/comp2700/admin2700/secret. It takes one argument, which is an application password. If the application password matches admin2700’s application password (located in /etc/comp2700/admin2700/password), then admin2700’s secret will be displayed. The following screenshot shows an example of the output of a normal run of this program. COMP2700 2019 Semester 2 - ASSIGNMENT 1 4 EVE THE ATTACKER In this assignment, you will use eve’s account to find the secrets mentioned above. There are 4 (four) problems you need to solve for this assignment. For each problem, you are asked to write an attack program or script to find a secret. In the following, we assume all attack programs/scripts are located in /home/eve/. We assume that eve does not know any of the account/application passwords or secrets, so she needs to find weakness in the software or OS to access the secrets. Recall again that we will change all account passwords, all application passwords and all secrets during the assessment, so your solutions cannot rely on hardcoding the passwords given in Appendix A. We also assume that the attacker (‘eve’) has an almost identical copy of the system (OS and software), with the only difference being the (account and application) passwords and the secrets. This means that, as eve, you will be able to use the root account in your own copy of the system to explore how the access control is structured, where are the secrets and passwords stored, and other relevant aspects of the system that can be used to mount an attack on the real system. Pay particular attention to the SUID programs and their owners. There may be other files or directories relevant to the above SUID programs that you need to discover on your own to make your attacks work. PROBLEM 1: ALICE’S SECRET Your first task is to write an attack script or a program to display alice’s secret without knowing the password. If your program/script works correctly, it should display the secret that is stored in /etc/comp2700/alice/secret when run by eve. The following is a sample output of a successful attack: A successful attack should simply display the secret and nothing else (this remark applies to all problems below as well). PROBLEM 2: BOB’S SECRET For this problem, you are asked to write an attack script/program to display bob’s secret. If your program/script works correctly, it should display the secret that is stored in /etc/comp2700/bob/secret when run by eve. The following is a sample output of a successful attack: PROBLEM 3: CHARLIE’S SECRET For Problem 3, you are asked to write a script/program to display charlie’s secret. If your program/script works correctly, it should display the secret that is stored in /etc/comp2700/charlie/secret when run by eve. The following is a sample output of a successful attack: COMP2700 2019 Semester 2 - ASSIGNMENT 1 5 PROBLEM 4: ADMIN’S SECRET For Problem 4, you are asked to write a script/program to display admin2700’s secret. If your program/script works correctly, it should display the secret that is stored in /etc/comp2700/admin2700/secret when run by eve. The following is a sample output of a successful attack: 3. WHAT PROGRAMMING LANGUAGE TO USE You can program your solutions using C, Python or bash shell script. All of the problems can be solved with very small programs. If you use C, please make sure that your code can be compiled from within the virtual machine using gcc. Similarly, if you use Python, please make sure the script can be run inside the provided virtual machine. The Python version installed in the provided virtual machine is version 3.6.7. The solutions are simple enough that each will fit in one C/Python/shell script file so you do not need to use complicated project-base code structures. 4. SUBMISSION REQUIREMENTS • What to submit: you must submit the following: 1. The source code for the attack script/program for each problem. Name the file as ‘attackX.c’ (if it is written in C) or ‘attackX.sh’ (if it is written in shell scripts) or ‘attackX.py’ (if it is written in Python, where X is the problem number. So you would need to submit four source files that correspond to the four attacks. 2. A report detailing an analysis of the vulnerabilities you discovered and how you exploit them to launch your attacks. Please use PDF format for the report and name the file ‘report.pdf’. To help us organize your submissions, please put all those files in one zip file, name it according to your last name and uid. For example, if your last name is Bond and your uid is u1234567 then put all the files above in a zip file called ‘Bond_u1234567.zip’. • Output of attack scripts: Each attack script must output only one line containing the secret in the format ‘flag{xx:xx:xx:xx:xx:xx:xx:xx}’ (see Section 2: Problem 1 - 4 for examples) and nothing else. Failure to comply with the above requirements may result in mark deduction up to 5% of possible marks of this assignment. COMP2700 2019 Semester 2 - ASSIGNMENT 1 6 5. WHERE TO SUBMIT Submissions of the solutions must be done through the Wattle site for this course. Unless explicitly approved by the lecturer, the only submission method that is allowed is through Wattle. In particular, unsolicited email submissions will be ignored. The submission site and the submission procedure will be provided separately on Wattle page of the course. 6. DEADLINE & PENALTY - The submission deadline is Sunday, September 29th, 2019 - 11:55pm (AET). - Multiple submissions are allowed. You can submit as many times as you want before the deadline. But only the latest submission will be graded. - No late submissions are allowed without a prior approval from the course convenor. - Failure to comply with submission requirements (Section 4) may result in mark deduction up to 5% of possible marks for this assignment. 7. ASSESSMENT The assessment is based on two components: 1. Attack code execution (40% of total marks): This is broken down to 5% for Problem 1, 10% for Problem 2, 10% for Problem 3 and 15% for Problem 4. The assessment of the correctness of your attack will be partially automated, so please make sure you follow the suggested output format as mentioned in the problem description above. Your solutions will be tested in the same virtual machine that is provided with this assignment, but with all password and secret values modified. So you should make sure that you do not hardcode any of the sample passwords/secrets, as they will not work in the assessment process. Each attack must be successfully executed within 2 (two) minute, when run in a standard desktop in CECS computer labs. This is really an over approximation; if you implement the attacks correctly, each attack should take only a few seconds at most to solve each problem. 2. Report (60% of total marks): There is no definitive structure of the report, but here are some guidelines of what we would expect from the report: • As a general guideline we expect a division into four parts, corresponding to the division of the problems, unless you manage to find a single attack that solves all problems, in which case, it is sufficient to explain the general attack that solves all problems. • We expect a detailed analysis of what are the vulnerabilities and how you exploit them. It is not enough, for example, to say that you do a ‘buffer overflow’ attack. You’d need to explain, e.g., the memory layout, what is the effect of the overflow, how do you subvert the control flow of the program, etc. Similarly, where the problem/solution concerns Unix security mechanism, we expect you to articulate clearly the aspects of the access control mechanism that cause the vulnerability, and how you exploit them. An example is provided in the accompanying Q&A document. Note even if your attack code fails to execute, you may still receive marks for your report if you correctly identify the vulnerabilities and explain your attack strategies. COMP2700 2019 Semester 2 - ASSIGNMENT 1 7 HINTS • Problem 2: Some understanding of the C functions rand and srand will be helpful in solving this problem. You can consult the manual for rand using the following command: man 3 rand • Problem 3: The following article from Mitre’s CWE (Common Weakness Vulnerability) database may be helpful: https://cwe.mitre.org/data/definitions/377.html • Problem 4: You may find the command hexdump useful to examine unprintable ASCII characters. The command hexdump treats its input (file) as a stream of bytes and can output different formats for the byte stream. By default it represents each byte using hex notation. For example, piping the output of ‘echo’ to ‘hexdump’ gives you the hex values of the characters output by ‘echo’: COMP2700 2019 Semester 2 - ASSIGNMENT 1 8 APPENDIX A: PASSWORDS AND SECRETS IMPORTANT NOTE: These passwords and secrets are provided for your convenience, to help you test your solutions. During the assessment, these passwords and secrets will be changed. Please make sure you do not hardcode the passwords and secrets in your solution. User account and passwords to access the virtual machine: User Account Account password Admin2700 admin123 alice alice123 bob bob123 charlie charlie123 dennis dennis123 eve eve123 fong fong123 Application passwords and secrets: Owner Application password Secret alice aliceone flag{be:2c:1b:c3:e5:ef:22:cd} bob bobtwo flag{f5:10:38:67:a3:3b:ae:cc} charlie charliethree flag{a0:57:ee:84:54:93:a1:f7} admin2700 adminfour flag{db:73:1f:db:1f:70:65:5e} COMP2700 2019 Semester 2 - ASSIGNMENT 1 9 APPENDIX B: SOURCE CODE SOURCE CODE FOR PROBLEM 1 File: alice-secret.c #include #include #include #include // Execute any shell command void execute(char *cmd) { execl("/bin/bash", "bash", "-p", "-c", cmd, NULL); } void sanitise(char *password) { int i,j; char tmp[15]; // remove non-alphabet characters from passwords j=0; for(i=0; i < 15; ++i) if(password[i] >= 'a' && password[i] <= 'z') { tmp[j]=password[i]; ++j; } else break; tmp[j] = '\0'; strcpy(password, tmp); } int authenticate(char *str) { char stored_password[15]=""; char pass[15]; char path[128] = "/etc/comp2700/alice/password"; int i; FILE *fpp; int auth=0; fpp = fopen(path, "r"); if(fpp == NULL) { printf("Password file %s not found\n", path); exit(1); } fgets(stored_password, 15, fpp); sanitise(stored_password); strcpy(pass, str); sanitise(pass); if(strcmp(stored_password,pass) == 0) auth=1; else { auth=0; } fclose(fpp); return auth; } COMP2700 2019 Semester 2 - ASSIGNMENT 1 10 int main(int argc, char* argv[], char *envp[]) { char error[256] = "/home/alice/Public/error.sh $USER "; char pass[15]; if(argc < 2) { printf("Usage: %s password\n", argv[0]); return 0; } // copy only 15 characters from user input, to prevent stack smashing strncpy(pass, argv[1], 15); pass[14]='\0'; if(!authenticate(pass)) { // Log all failed attempts printf("Wrong password. This incident has been logged.\n"); strcat(error, pass); execute(error); // Execute script to log events return 0; } // Display secret execute("cat /etc/comp2700/alice/secret"); return 0; } File: error.sh #!/bin/bash -p # Get date and time dt=$(/bin/date '+%d/%m/%Y %H:%M:%S') # Add new entry to log /bin/echo "[$dt] Wrong password attempt by $1: $2" >> /home/alice/Public/error.log SOURCE CODE FOR PROBLEM 2 File: bob-secret.c #include #include #include #include #include // Execute any shell command void execute(char *cmd) { execl("/bin/bash", "bash", "-p", "-c", cmd, NULL); } void sanitise(char *password) { int i,j; char tmp[15]; // remove non-alphabet characters from passwords COMP2700 2019 Semester 2 - ASSIGNMENT 1 11 j=0; for(i=0; i < 15; ++i) if(password[i] >= 'a' && password[i] <= 'z') { tmp[j]=password[i]; ++j; } else break; tmp[j] = '\0'; strcpy(password, tmp); } int authenticate(char *str) { char stored_password[15]=""; char pass[15]; char path[128] = "/etc/comp2700/bob/password"; int i; FILE *fpp; int auth=0; fpp = fopen(path, "r"); if(fpp == NULL) { printf("Password file %s not found\n", path); exit(1); } fgets(stored_password, 15, fpp); sanitise(pass); strcpy(pass, str); sanitise(pass); if(strcmp(stored_password,pass) == 0) auth=1; else { auth=0; } fclose(fpp); return auth; } int main(int argc, char* argv[], char *envp[]) { unsigned int seed=time(0); // use current time as the seed for the random number generator char user[16]; int r; char command[128]; int choice=0; if(argc < 4) { printf("Usage: %s choice user password\n", argv[0]); printf("To display the secret, use choice=1, e.g. \n\n %s 1 bob password\n\n", argv[0]); printf("To backup the secret, use choice=2, e.g., \n\n %s 2 bob password\n\n", argv[0]); return 0; } strcpy(user, argv[2]); printf("Welcome, %s!\n", user); srand(seed); // change the seed for random number generator r = rand(); // generate a random number choice = atoi(argv[1]); if(choice == 1) { if(!authenticate(argv[3])) { printf("Wrong password.\n"); COMP2700 2019 Semester 2 - ASSIGNMENT 1 12 return 0; } execute("/bin/cat /etc/comp2700/bob/secret"); } else if(choice == 2) { // invoke the backup.sh script to copy the secret to the backup folder. // the filename is randomly generated sprintf(command, "/home/bob/Public/backup.sh f%d", r); execute(command); } else printf("Wrong choice.\n"); return 0; } File: backup.sh #!/bin/bash -p /bin/echo "Copying secret..." /bin/cat /etc/comp2700/bob/secret > /home/bob/Public/backup/$1 SOURCE CODE FOR PROBLEM 3 File: charlie-secret.c #include #include #include #include // Execute any shell command void execute(char *cmd) { execl("/bin/bash", "bash", "-p", "-c", cmd, NULL); } void sanitise(char *password) { int i,j; char tmp[15]; // remove non-alphabet characters from passwords j=0; for(i=0; i < 15; ++i) if(password[i] >= 'a' && password[i] <= 'z') { tmp[j]=password[i]; ++j; } else break; tmp[j] = '\0'; strcpy(password, tmp); } int authenticate(char *str) { char stored_password[15]=""; char pass[15]; char path[128] = "/etc/comp2700/charlie/password"; int i; COMP2700 2019 Semester 2 - ASSIGNMENT 1 13 FILE *fpp; int auth=0; fpp = fopen(path, "r"); if(fpp == NULL) { printf("Password file %s not found\n", path); exit(1); } fgets(stored_password, 15, fpp); sanitise(stored_password); strcpy(pass, str); sanitise(pass); if(strcmp(stored_password,pass) == 0) auth=1; else { auth=0; } fclose(fpp); return auth; } int main(int argc, char* argv[], char *envp[]) { if(argc < 2) { printf("Usage: %s password\n", argv[0]); return 0; } if(!authenticate(argv[1])) { // Log all failed attempts printf("Wrong password. This incident has been logged.\n"); execute("/home/charlie/Public/error.sh"); return 0; } execute("cat /etc/comp2700/charlie/secret"); return 0; } File: error.sh #!/bin/bash -p # Directory name; uses current user's name as suffix tmpdir=/var/tmp/session-log-$USER # create directory for charlie in /var/tmp /bin/mkdir -p $tmpdir # Get date and time dt=$(/bin/date '+%d/%m/%Y %H:%M:%S') # Get date -- use this for log file name dd=$(/bin/date '+%d-%m-%Y') /bin/echo "Wrong password attempt by $USER at $dt" > $tmpdir/$dd.log COMP2700 2019 Semester 2 - ASSIGNMENT 1 14 SOURCE CODE FOR PROBLEM 4 File: admin-secret.c #include #include char password[15]=""; int authenticate(char * pass) { int length = 15; int result = 0; char x[15]; strncpy(x, pass, length); result = strncmp(password, x, length); if(result) { printf("Wrong password: %s\n", x); return 0; } return 1; } int main(int argc, char* argv[]) { FILE *fps; FILE *fpp; char secret[512] = ""; if(argc < 2) { printf("Usage: %s password\n", argv[0]); return 0; } fps = fopen("/etc/comp2700/admin2700/secret", "r"); if(fps == NULL) { printf("Secret file not found\n"); return 1; } fpp = fopen("/etc/comp2700/admin2700/password", "r"); if(fpp == NULL) { printf("Password file not found\n"); fclose(fps); return 1; } fgets(password, 15, fpp); fgets(secret, 512, fps); if(authenticate(argv[1])) printf("%s\n", secret); fclose(fpp); fclose(fps); return 0; }
