Summerschool Aachen 2004/Programming Errors Lab

From C4 Wiki
< Summerschool Aachen 2004
Revision as of 17:17, 22 September 2004 by (talk) (Notes from the Lab Session)
Jump to: navigation, search

Presentation Summary

Notes from the Lab Session

Solution for case 1a:

  • use gdb to get the address of buf
  • print 20 no-ops (0x90) into a file
  • append the shellcode (e.g. from packetstorm) to that file
  • fill that file to 104 bytes
  • append the address of buf to that file
  • run ./case1a "`cat $file`" and voila!

--Alexander Becher

Notes from Presentations

Metasploit is a nice repository for shellcode, UNIX as well as Windows.

-- Lisa Thalheim

Example vulnerability on the SRCF

As I think I mentioned, the SRCF has a big problem allowing so many users to run CGI and PHP scripts on our webserver. We try to limit the number of insecure scripts by looking for old versions of vulnerable software, but we do not have the resources to check whether user-written scripts are exploitable. What we try to do is stop one user's script from interfering with other user's scripts, and stop attackers from being able to escalate a exploitable CGI into a root exploit.

This approach does not always work and there have been two successful root compromises since 2000. The first was simply getting a user shell using an exploitable CGI (Ikonboard). The attacker then used a ptrace exploit to get root. This was before a patch to the vulnerability has been released. They then installed the SuKIT rootkit.

The more interesting one was where the attacker used site-specific knowledge to get root. It is likely he used a vulnerable CGI to look around the system. What he noticed is that one other vulnerable CGI was written by an ex-sysadmin and so could get access to that account. While that user did not have root access, he did own one old file which was processed by a cron job. This cron job ran as root and did not check for shell metacharacters in the input file (since it was meant to only be written to by sysadmins). The attacker embedded a command in the input file so as to create a root shell when it was processed by the cron job. Fortunately we stopped tha attack before any harm could be done, and we also captured a list of commands he entered. In reaction to this attack we introduced two new policies. Firstly all scripts run as root were audited to ensure that no files writable by non-root users were opened. Secondly each system administrator had a new account created, which was isolated from their normal account, and that could not run CGIs.

--Steven Murdoch