# 01 Set-UID NTNU 資安攻防演練 ##### [Back to Note Overview](https://reurl.cc/XXeYaE) ##### [Back to Information Security: A Hands-on Approach](https://hackmd.io/z5PJjK7eTJ29YEhMjyAaCw) <!-- {%hackmd @sophie8909/pink_theme %} --> ###### tags: `攻防演練` `110-1` `CSIE` `選修` `NTNU` <!-- tag順序 [學校] [系 必選] or [學程 學程名(不含學程的 e.g. 大師創業)] [課程] [開課學期]--> ## Overview - Linux File Permission - Set-UID - What goes wrong? - Capability Leaking - Countermeasures - Conclusions - Appendix ## Linux File Permission - **Discretionary Access Control (DAC)** - Restricting access to objects based on the <font color=red> identity of subjects </font> and/or groups to which they belong. - The access permission is capable of <font color=blue> passing </font> that permission on to any other subject. - Ex. Standard Unix, Windows... (權力在檔案擁有者) - **Mandatory Access Control (MAC)** - The policy administrators (政策管理者) to implement <font color=red> organization-wide security policies </font>. - Users cannot override or modify this policy, either accidentally or intentionally. - (權力在政策管理者) - **Role-based Access Control (RBAC)** - Policy-neutral access-control mechanism defined around <font color=red> roles and privileges </font>. - <font color=red> Role, not Identity </font>. - Ex. My name is ShihHeng, and I am in a student group, The policy will check my group, but not check my name. (依不同的群組or身分有不同的權力) <div style="width: 100%; text-align: center; margin-bottom: 15px"> <img src="https://i.imgur.com/osaasM3.png" style="width: 600px"> </div> > $ which [ *instruction* ] can show the where of instruction - How to solve that user can edit his pwd file, but he doesn't have permission of system administrator - 1. **Daemon** - A daemon is a computer program runs with a privileged user as a <font color=red> background </font> process. - When you want to change your password, send your request to the program. - 2. **<font color=red> Set-UID </font>program.** > BTW. Acctually, the user's password is not stored in /etc/passwd. Instead, the user's password is stored in /etc/shadow/ in its hash form. ## Set-UID - Allow user to run a program with the <font color=red> program owner's privilege </font>. - This is called <font color=red> escalate privileges (提權) </font>. - ![](https://i.imgur.com/c5Ug1LJ.png) - <font color=red> s </font> is the setuid flag. - In Unix, a process has three user IDs - 1. Real User ID (RUID): <font color=blue> The user who owns this process, not program</font>. - 2. Effective User ID (EUID): <font color=red> The privilege that the process has</font>. - 3. Saved User ID (SUID): A temporary space for switching effective user ID. - When a program is executed: - For normal programs, EUI = RUID, which is equal to the ID of the user <font color=red> who runs the program</font>. - For set-UID programs, EUI $\neq$ RUID. RUID is equal to the ID of the user <font color=red> who runs the program</font>, but EUID is equal to the ID of the user <font color=orange> who owns the program</font>. ```c= #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <pwd.h> int main(){ uid_t ruid , euid , suid; struct passwd *pwd = NULL; getresuid( &ruid , &euid , &suid ); pwd = getpwuid( ruid ); printf( "Real User ID: %d (%s)\n", ruid , pwd -> pw_name ); pwd = getpwuid( euid ); printf( "Effective User ID: %d (%s)\n", euid , pwd -> pw_name ); pwd = getpwuid( suid ); printf( "Saved User ID: %d (%s)\n", suid , pwd -> pw_name ); return 0; } ``` ```shell $ gcc showid.c -o showid $ sudo chown root showid //chown: modify file owner $ ./showid Real User ID: 1000 (neokent) Effective User ID: 1000 (neokent) Saved User ID: 1000 (neokent) $ sudo chmod 4755 showid //chmod: modify file privilege $ ./showid Real User ID: 1000 (neokent) Effective User ID: 0 (root) Saved User ID: 0 (root) ``` - In principle, the set-UID is secure. - Though the Set-UID program allows the user to escalate its privilege, the program behavior is <font color=red> restricted by the software developer</font>. - such as vim, bash. ## What goes wrong - The program is developed by human. - **To err is human; ~~to forgive, divine.~~** - There are many <font color=red> Code Flaws</font>. - ![](https://i.imgur.com/ux9zoXx.png) ### Attacks via User Input - Buffer Overflow - Format String Vulnerability. - <font color=red> chsh </font> - Change login shell - the user's login shell is in **/etc/passwd** - chsh is a Set-UID program - Issues: Failing to sanitize user input that the user may input two lines. - <font color=red> Attackers could create a new account, even root</font>. ### Attacks via System Input - Programs may get input from the underlying system. - A privileged program may access a file which is stored in **/tmp**. - /tmp is <font color=red> world-writable</font>. ### Attacks via Environment Variable > An environment variable is **dynamic-named value** that can affect the way running process will behave on a computer. - The system library function executes the shell (/bin/sh) command specified in command. - /bin/sh uses the PATH environment variable to find the program. - Attackers can add a program at where bin/sh can find it - User can use **env, export** to know environment variable in this computer ```c= #include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char *argv[]){ char *pCatStr = "/bin/cat"; char *pCmd = malloc(strlen(pCatStr) + strlen(argv[1]) + 2); sprintf(pCmd, "%s %s", pCatStr, argv[1]); system(pCmd); return 0; } ``` ```shell= $ gcc catall.c -o catall $ sudo chown root catall $ sudo chmod 4755 catall $ ./catall "aa;/bin/sh" # whoami root ``` - because catall has root privilege and use 'system' to execute command, attackers can insert another "/bin/sh" to get the root > some shell will block **set-UID** program, such as *dash* > these shell will check whether **RUID** and **EUID** are the same or not ## Capability Leaking ```shell $ sudo chown root cap_leak $ sudo chmod +s cap_leak $ echo "bbb" > /etc/zzz -bash: /etc/zzz: Permission denied $ ./cap_leak fd is 3 $ echo "bbb" >& 3 $ cat /etc/zzz bbb ``` - <font color=red> Always destroy the capability before downgrading the privilege</font>. - because the fd is **3** with root privilege, system consider it as root with 3 fd - user should <font color=blue> **close**</font> the file descriptor before downgrading. ## Countermeasures - <font color=blue>**Principle of Isolation**</font> - Data should be clearly isolated (區隔) from code - <font color=red>**Principle of Lest Privilege**</font> - Every program and every privileged user of the system should operate using the <font color=red> least amount of privileges necessary</font> to complete the job. ```c= #include <unistd.h> int execve(const char *pathname, char *const argv[], char *const envp[]) ``` - Use **setuid** and **seteuid** to disable the privilege when not necessary. - **setuid**: It will modify RUID, EUID, SUID. The setuid system call is permitted if the specified ID is equal to the RUID or the EUID of the process, or if the EUID is that of the super user. - **seteuid**: It will modify EUID as specified ID only. ## Conclusions - Set-UID is a mechanism that can escalate (升級) the user's privilege in some retricted behavior temporarily. - If the Set-UID program has flaws, the attacker can launch its attack through several interfaces with the root’s privilege. - When an attacker wants to launch attacks, generally it will focus on those Set-UID programs. ## Appendix - How to find Set-UID program? ```shell= $ find /bin -user root -perm -4000 -exec ls - ldb {} \; > ./tmp ```