辅导案例-COMP2700 2019 Semester 2 - ASSIGNMENT 1
辅导案例-COMP2700 2019
COMP2700 2019 Semester 2 - ASSIGNMENT 1
1
COMP2700 2019 SEMESTER 2 -
ASSIGNMENT 1
SUBMISSION DEADLINE: Sunday, September 29th, 2019 - 11:55pm AET.
SUBMISSION PROCEDURE: See Wattle page for the course
- OBJECTIVES:
The main objective of this assignment is for the students to understand the security mechanisms in Unix-like
operating systems and their interplay with software security, in particular:
- to learn practical access control mechanisms in Unix operating system, such as files and folder
permissions and SUID programs, and how application security is affected by them; - to learn how software vulnerabilities can be exploited to circumvent security mechanisms in both
applications and operating systems.
- PROBLEM DESCRIPTION:
Note: an accompanying Q&A document is also provided to give further details not covered here. See the Wattle
page for details.
There are four problems in this assignment. To do this assignment, you will make use of an installation of
Ubuntu Linux 18.04 (64 bit) in the Oracle VirtualBox virtual machine. The VirtualBox image of the Ubuntu
installation is provided with this document and can be downloaded from the Wattle site for this course. The
assessment of the solutions to the problems listed below will be entirely done inside this particular installation
of Ubuntu.
The Ubuntu installation for this assignment is similar to the Ubuntu image provided for the lab sessions. In
particular, it has the following users: admin2700, alice, bob, charlie, dennis, eve and fong. User admin2700 has
the administrative privilege over the system, i.e., it can escalate its privilege to the root user.
SECRETS AND APPLICATION PASSWORDS
In this assignment, we consider a scenario in which four users, alice, bob, charlie and admin2700, want to give
access to certain ‘secrets’ to other users, but they want to control who can access the secrets and not relying
solely on Linux file system permissions. So these secrets are stored in directories where only select users (alice,
bob, charlie and admin2700) can access. Access to the secrets are controlled by using individual password files.
These passwords are distinct from the account passwords of the Linux users, and we shall refer to them as
application passwords. The secrets and the application passwords are located in /etc/comp2700 directory.
There are four secrets that need to be protected; they are summarised in Table 1. The first column in the table
shows the owner of the secret. The second column shows the application passwords needed to access the
secrets given in the third column.
COMP2700 2019 Semester 2 - ASSIGNMENT 1
2
Table 1. Locations of application passwords and secrets. Each password is stored in a file called ‘password’, and
each secret is stored in a file called ‘secret’.
Owner Application password location Secret file location
alice /etc/comp2700/alice/password /etc/comp2700/alice/secret
bob /etc/comp2700/bob/password /etc/comp2700/bob/secret
charlie /etc/comp2700/charlie/password /etc/comp2700/charlie/secret
admin2700 /etc/comp2700/admin2700/password /etc/comp2700/admin2700/secret
The application passwords are strings of lower-case letters (‘a’ to ‘z’), of length between 1 to 14 characters.
All the secrets have the form ‘flag{xx:xx:xx:xx:xx:xx:xx:xx}’, i.e., it is a sequence of 8 bytes presented in a
hexadecimal notation, with colon ‘:’ separating the bytes, and the whole sequence is enclosed in ‘flag{ }’ tag.
IMPORTANT NOTE: Appendix A provides the account passwords, the application passwords and the secrets
for relevant users. All these passwords and secrets will be changed during the assessment of your solutions.
So your solutions must not hardcode any of these passwords and secrets.
SUID PROGRAMS
The actual access control mechanisms for protecting the secrets are implemented using four SUID programs
located in the Public directory in each user account. Each of these SUID programs allows a user to access a
certain secret, when the right application password is provided. The source code of these programs is written
in C and is located in the same directory as the SUID program. Some of these programs may call certain shell
scripts in their execution. For your convenience, the source code of these programs and shell scripts are also
included in Appendix B. All the C programs were compiled using the following command:
gcc program.c -o program -fno-stack-protector -m32
where program.c and program refer to the source and the binary of the program, respectively.
There are four SUID programs that a user can use to display a secret file. We give a brief description of each
program below. You are required to read the source code (both C code and shell scripts) and to try the
programs yourself to find out more about how each program works. In the following, we assume the user
‘dennis’ has been given the application passwords and is accessing the secrets in a normal way. All examples
illustrated below assume the passwords and secrets given in Appendix A. We repeat again here that these
passwords and secrets will be changed during the assessment.
• alice-secret: This program is located in /home/alice/Public/ and is used to access alice’s secret, i.e.,
the file /etc/comp2700/alice/secret. It takes one argument, which is an application password. If the
input application password matches alice’s application password (located in
/etc/comp2700/alice/password), then alice’s secret will be displayed. The following screenshot shows
an example of the output of a normal run of this program.
COMP2700 2019 Semester 2 - ASSIGNMENT 1
3
This example shows a first attempt with a wrong password (‘iforgot’), which results in an error being
logged in a log file /home/alice/Public/error.log. The second attempt succeeds with the proper
application password for alice (‘aliceone’), with the secret displayed (‘flag{be:2c:1b:c3:e5:ef:22:cd}’).
• bob-secret: This program is located in /home/bob/Public/ and is used to access bob’s secret, i.e., the
file /etc/comp2700/bob/secret. It takes three arguments: a choice of action to perform (‘1’ to display
the secret and ‘2’ to backup the secret), a user name and a password. If the first argument is 1, and
the provided password matches bob’s application password (located in
/etc/comp2700/bob/password), then bob’s secret will be displayed. If the first argument is 2, then
the program copies bob’s secret a backup folder. The following screenshot shows an example of the
output of a normal run of this program.
• charlie-secret: This program is located in /home/charlie/Public/ and is used to access charlie’s secret,
i.e., the file /etc/comp2700/charlie/secret. It takes one argument, which is an application password. If
the application password matches charlie’s application password (located in
/etc/comp2700/charlie/password), then charlie’s secret will be displayed, otherwise, this failed
attempt will be logged in a log file. The following screenshot shows an example of the output of a
normal run of this program.
• admin-secret: This program is located in /home/admin2700/Public and is used to access admin2700’s
secret, i.e., the file /etc/comp2700/admin2700/secret. It takes one argument, which is an application
password. If the application password matches admin2700’s application password (located in
/etc/comp2700/admin2700/password), then admin2700’s secret will be displayed. The following
screenshot shows an example of the output of a normal run of this program.
COMP2700 2019 Semester 2 - ASSIGNMENT 1
4
EVE THE ATTACKER
In this assignment, you will use eve’s account to find the secrets mentioned above. There are 4 (four)
problems you need to solve for this assignment. For each problem, you are asked to write an attack program
or script to find a secret. In the following, we assume all attack programs/scripts are located in /home/eve/.
We assume that eve does not know any of the account/application passwords or secrets, so she needs to find
weakness in the software or OS to access the secrets. Recall again that we will change all account passwords,
all application passwords and all secrets during the assessment, so your solutions cannot rely on hardcoding
the passwords given in Appendix A.
We also assume that the attacker (‘eve’) has an almost identical copy of the system (OS and software), with
the only difference being the (account and application) passwords and the secrets. This means that, as eve,
you will be able to use the root account in your own copy of the system to explore how the access control is
structured, where are the secrets and passwords stored, and other relevant aspects of the system that can be
used to mount an attack on the real system. Pay particular attention to the SUID programs and their owners.
There may be other files or directories relevant to the above SUID programs that you need to discover on your
own to make your attacks work.
PROBLEM 1: ALICE’S SECRET
Your first task is to write an attack script or a program to display alice’s secret without knowing the password.
If your program/script works correctly, it should display the secret that is stored in /etc/comp2700/alice/secret
when run by eve. The following is a sample output of a successful attack:
A successful attack should simply display the secret and nothing else (this remark applies to all problems below
as well).
PROBLEM 2: BOB’S SECRET
For this problem, you are asked to write an attack script/program to display bob’s secret. If your
program/script works correctly, it should display the secret that is stored in /etc/comp2700/bob/secret when
run by eve. The following is a sample output of a successful attack:
PROBLEM 3: CHARLIE’S SECRET
For Problem 3, you are asked to write a script/program to display charlie’s secret. If your program/script works
correctly, it should display the secret that is stored in /etc/comp2700/charlie/secret when run by eve. The
following is a sample output of a successful attack:
COMP2700 2019 Semester 2 - ASSIGNMENT 1
5
PROBLEM 4: ADMIN’S SECRET
For Problem 4, you are asked to write a script/program to display admin2700’s secret. If your program/script
works correctly, it should display the secret that is stored in /etc/comp2700/admin2700/secret when run by
eve. The following is a sample output of a successful attack:
-
WHAT PROGRAMMING LANGUAGE TO USE
You can program your solutions using C, Python or bash shell script. All of the problems can be solved with
very small programs. If you use C, please make sure that your code can be compiled from within the virtual
machine using gcc. Similarly, if you use Python, please make sure the script can be run inside the provided
virtual machine. The Python version installed in the provided virtual machine is version 3.6.7. The solutions are
simple enough that each will fit in one C/Python/shell script file so you do not need to use complicated
project-base code structures. -
SUBMISSION REQUIREMENTS
• What to submit: you must submit the following: -
The source code for the attack script/program for each problem. Name the file as ‘attackX.c’ (if it
is written in C) or ‘attackX.sh’ (if it is written in shell scripts) or ‘attackX.py’ (if it is written in
Python, where X is the problem number. So you would need to submit four source files that
correspond to the four attacks. -
A report detailing an analysis of the vulnerabilities you discovered and how you exploit them to
launch your attacks. Please use PDF format for the report and name the file ‘report.pdf’.
To help us organize your submissions, please put all those files in one zip file, name it according to
your last name and uid. For example, if your last name is Bond and your uid is u1234567 then put all
the files above in a zip file called ‘Bond_u1234567.zip’.
• Output of attack scripts: Each attack script must output only one line containing the secret in the
format ‘flag{xx:xx:xx:xx:xx:xx:xx:xx}’ (see Section 2: Problem 1 - 4 for examples) and nothing else.
Failure to comply with the above requirements may result in mark deduction up to 5% of possible marks of
this assignment.
COMP2700 2019 Semester 2 - ASSIGNMENT 1
6
5. WHERE TO SUBMIT
Submissions of the solutions must be done through the Wattle site for this course. Unless explicitly approved
by the lecturer, the only submission method that is allowed is through Wattle. In particular, unsolicited email
submissions will be ignored.
The submission site and the submission procedure will be provided separately on Wattle page of the course.
- DEADLINE & PENALTY
- The submission deadline is Sunday, September 29th, 2019 - 11:55pm (AET).
- Multiple submissions are allowed. You can submit as many times as you want before the deadline.
But only the latest submission will be graded. - No late submissions are allowed without a prior approval from the course convenor.
- Failure to comply with submission requirements (Section 4) may result in mark deduction up to 5%
of possible marks for this assignment.
- ASSESSMENT
The assessment is based on two components: - Attack code execution (40% of total marks): This is broken down to 5% for Problem 1, 10% for
Problem 2, 10% for Problem 3 and 15% for Problem 4. The assessment of the correctness of your
attack will be partially automated, so please make sure you follow the suggested output format as
mentioned in the problem description above. Your solutions will be tested in the same virtual
machine that is provided with this assignment, but with all password and secret values modified. So
you should make sure that you do not hardcode any of the sample passwords/secrets, as they will not
work in the assessment process. Each attack must be successfully executed within 2 (two) minute,
when run in a standard desktop in CECS computer labs. This is really an over approximation; if you
implement the attacks correctly, each attack should take only a few seconds at most to solve each
problem. - Report (60% of total marks): There is no definitive structure of the report, but here are some
guidelines of what we would expect from the report:
• As a general guideline we expect a division into four parts, corresponding to the division of
the problems, unless you manage to find a single attack that solves all problems, in which
case, it is sufficient to explain the general attack that solves all problems.
• We expect a detailed analysis of what are the vulnerabilities and how you exploit them. It is
not enough, for example, to say that you do a ‘buffer overflow’ attack. You’d need to explain,
e.g., the memory layout, what is the effect of the overflow, how do you subvert the control
flow of the program, etc. Similarly, where the problem/solution concerns Unix security
mechanism, we expect you to articulate clearly the aspects of the access control mechanism
that cause the vulnerability, and how you exploit them. An example is provided in the
accompanying Q&A document.
Note even if your attack code fails to execute, you may still receive marks for your report if you
correctly identify the vulnerabilities and explain your attack strategies.
COMP2700 2019 Semester 2 - ASSIGNMENT 1
7
HINTS
• Problem 2: Some understanding of the C functions rand and srand will be helpful in solving this
problem. You can consult the manual for rand using the following command:
man 3 rand
• Problem 3: The following article from Mitre’s CWE (Common Weakness Vulnerability) database may
be helpful:
https://cwe.mitre.org/data/definitions/377.html
• Problem 4: You may find the command hexdump useful to examine unprintable ASCII characters. The
command hexdump treats its input (file) as a stream of bytes and can output different formats for the
byte stream. By default it represents each byte using hex notation. For example, piping the output of
‘echo’ to ‘hexdump’ gives you the hex values of the characters output by ‘echo’:
COMP2700 2019 Semester 2 - ASSIGNMENT 1
8
APPENDIX A: PASSWORDS AND SECRETS
IMPORTANT NOTE: These passwords and secrets are provided for your convenience, to help you test your
solutions. During the assessment, these passwords and secrets will be changed. Please make sure you do not
hardcode the passwords and secrets in your solution.
User account and passwords to access the virtual machine:
User
Account
Account
password
Admin2700 admin123
alice alice123
bob bob123
charlie charlie123
dennis dennis123
eve eve123
fong fong123
Application passwords and secrets:
Owner Application password Secret
alice aliceone flag{be:2c:1b:c3:e5:ef:22:cd}
bob bobtwo flag{f5:10:38:67:a3:3b:ae:cc}
charlie charliethree flag{a0:57:ee:84:54:93:a1:f7}
admin2700 adminfour flag{db:73:1f:db:1f:70:65:5e}
COMP2700 2019 Semester 2 - ASSIGNMENT 1
9
APPENDIX B: SOURCE CODE
SOURCE CODE FOR PROBLEM 1
File: alice-secret.c
#include
#include
#include
#include
// Execute any shell command
void execute(char *cmd)
{
execl("/bin/bash", “bash”, “-p”, “-c”, cmd, NULL);
}
void sanitise(char *password)
{
int i,j;
char tmp[15];
// remove non-alphabet characters from passwords
j=0;
for(i=0; i < 15; ++i)
if(password[i] >= ‘a’ && password[i] <= ‘z’) {
tmp[j]=password[i];
++j;
} else break;
tmp[j] = ‘\0’;
strcpy(password, tmp);
}
int authenticate(char *str)
{
char stored_password[15]="";
char pass[15];
char path[128] = “/etc/comp2700/alice/password”;
int i;
FILE *fpp;
int auth=0;
fpp = fopen(path, “r”);
if(fpp == NULL)
{
printf(“Password file %s not found\n”, path);
exit(1);
}
fgets(stored_password, 15, fpp);
sanitise(stored_password);
strcpy(pass, str);
sanitise(pass);
if(strcmp(stored_password,pass) == 0)
auth=1;
else {
auth=0;
}
fclose(fpp);
return auth;
}
COMP2700 2019 Semester 2 - ASSIGNMENT 1
10
int main(int argc, char* argv[], char *envp[])
{
char error[256] = "/home/alice/Public/error.sh $USER ";
char pass[15];
if(argc < 2)
{
printf(“Usage: %s password\n”, argv[0]);
return 0;
}
// copy only 15 characters from user input, to prevent stack smashing
strncpy(pass, argv[1], 15);
pass[14]=’\0’;
if(!authenticate(pass)) {
// Log all failed attempts
printf(“Wrong password. This incident has been logged.\n”);
strcat(error, pass);
execute(error); // Execute script to log events
return 0;
}
// Display secret
execute(“cat /etc/comp2700/alice/secret”);
return 0;
}
File: error.sh
#!/bin/bash -p
Get date and time
dt=$(/bin/date ‘+%d/%m/%Y %H:%M:%S’)
Add new entry to log
/bin/echo “[$dt] Wrong password attempt by $1: $2” >> /home/alice/Public/error.log
SOURCE CODE FOR PROBLEM 2
File: bob-secret.c
#include
#include
#include
#include
#include
// Execute any shell command
void execute(char *cmd)
{
execl("/bin/bash", “bash”, “-p”, “-c”, cmd, NULL);
}
void sanitise(char *password)
{
int i,j;
char tmp[15];
// remove non-alphabet characters from passwords
COMP2700 2019 Semester 2 - ASSIGNMENT 1
11
j=0;
for(i=0; i < 15; ++i)
if(password[i] >= ‘a’ && password[i] <= ‘z’) {
tmp[j]=password[i];
++j;
} else break;
tmp[j] = ‘\0’;
strcpy(password, tmp);
}
int authenticate(char *str)
{
char stored_password[15]="";
char pass[15];
char path[128] = “/etc/comp2700/bob/password”;
int i;
FILE *fpp;
int auth=0;
fpp = fopen(path, “r”);
if(fpp == NULL)
{
printf(“Password file %s not found\n”, path);
exit(1);
}
fgets(stored_password, 15, fpp);
sanitise(pass);
strcpy(pass, str);
sanitise(pass);
if(strcmp(stored_password,pass) == 0)
auth=1;
else {
auth=0;
}
fclose(fpp);
return auth;
}
int main(int argc, char* argv[], char *envp[])
{
unsigned int seed=time(0); // use current time as the seed for the random number generator
char user[16];
int r;
char command[128];
int choice=0;
if(argc < 4)
{
printf(“Usage: %s choice user password\n”, argv[0]);
printf(“To display the secret, use choice=1, e.g. \n\n %s 1 bob password\n\n”, argv[0]);
printf(“To backup the secret, use choice=2, e.g., \n\n %s 2 bob password\n\n”, argv[0]);
return 0;
}
strcpy(user, argv[2]);
printf(“Welcome, %s!\n”, user);
srand(seed); // change the seed for random number generator
r = rand(); // generate a random number
choice = atoi(argv[1]);
if(choice == 1) {
if(!authenticate(argv[3])) {
printf(“Wrong password.\n”);
COMP2700 2019 Semester 2 - ASSIGNMENT 1
12
return 0;
}
execute("/bin/cat /etc/comp2700/bob/secret");
}
else if(choice == 2) {
// invoke the backup.sh script to copy the secret to the backup folder.
// the filename is randomly generated
sprintf(command, “/home/bob/Public/backup.sh f%d”, r);
execute(command);
}
else printf(“Wrong choice.\n”);
return 0;
}
File: backup.sh
#!/bin/bash -p
/bin/echo “Copying secret…”
/bin/cat /etc/comp2700/bob/secret > /home/bob/Public/backup/$1
SOURCE CODE FOR PROBLEM 3
File: charlie-secret.c
#include
#include
#include
#include
// Execute any shell command
void execute(char *cmd)
{
execl("/bin/bash", “bash”, “-p”, “-c”, cmd, NULL);
}
void sanitise(char *password)
{
int i,j;
char tmp[15];
// remove non-alphabet characters from passwords
j=0;
for(i=0; i < 15; ++i)
if(password[i] >= ‘a’ && password[i] <= ‘z’) {
tmp[j]=password[i];
++j;
} else break;
tmp[j] = ‘\0’;
strcpy(password, tmp);
}
int authenticate(char *str)
{
char stored_password[15]="";
char pass[15];
char path[128] = “/etc/comp2700/charlie/password”;
int i;
COMP2700 2019 Semester 2 - ASSIGNMENT 1
13
FILE *fpp;
int auth=0;
fpp = fopen(path, “r”);
if(fpp == NULL)
{
printf(“Password file %s not found\n”, path);
exit(1);
}
fgets(stored_password, 15, fpp);
sanitise(stored_password);
strcpy(pass, str);
sanitise(pass);
if(strcmp(stored_password,pass) == 0)
auth=1;
else {
auth=0;
}
fclose(fpp);
return auth;
}
int main(int argc, char* argv[], char *envp[])
{
if(argc < 2)
{
printf(“Usage: %s password\n”, argv[0]);
return 0;
}
if(!authenticate(argv[1])) {
// Log all failed attempts
printf(“Wrong password. This incident has been logged.\n”);
execute("/home/charlie/Public/error.sh");
return 0;
}
execute(“cat /etc/comp2700/charlie/secret”);
return 0;
}
File: error.sh
#!/bin/bash -p
Directory name; uses current user’s name as suffix
tmpdir=/var/tmp/session-log-$USER
create directory for charlie in /var/tmp
/bin/mkdir -p $tmpdir
Get date and time
dt=$(/bin/date ‘+%d/%m/%Y %H:%M:%S’)
Get date – use this for log file name
dd=$(/bin/date ‘+%d-%m-%Y’)
/bin/echo “Wrong password attempt by $USER at $dt” > t m p d i r / tmpdir/ tmpdir/dd.log
COMP2700 2019 Semester 2 - ASSIGNMENT 1
14
SOURCE CODE FOR PROBLEM 4
File: admin-secret.c
#include
#include
char password[15]="";
int authenticate(char * pass)
{
int length = 15;
int result = 0;
char x[15];
strncpy(x, pass, length);
result = strncmp(password, x, length);
if(result) {
printf(“Wrong password: %s\n”, x);
return 0;
}
return 1;
}
int main(int argc, char* argv[])
{
FILE *fps;
FILE *fpp;
char secret[512] = “”;
if(argc < 2)
{
printf(“Usage: %s password\n”, argv[0]);
return 0;
}
fps = fopen("/etc/comp2700/admin2700/secret", “r”);
if(fps == NULL)
{
printf(“Secret file not found\n”);
return 1;
}
fpp = fopen("/etc/comp2700/admin2700/password", “r”);
if(fpp == NULL)
{
printf(“Password file not found\n”);
fclose(fps);
return 1;
}
fgets(password, 15, fpp);
fgets(secret, 512, fps);
if(authenticate(argv[1]))
printf("%s\n", secret);
fclose(fpp);
fclose(fps);
return 0;
}