Assignments of day 5 in week #2

Local root exploit through SUID

On Unix systems, the "suid" bit on a system executable program allows the program to execute as the owner. A program that is setUID to "root" will allow the program to execute with root privileges. There are multiple legitimate reasons for a program to have root privileges, and many do. However, these suid programs may cause security holes under certain circumstances.

1. dump command executes external program with suid privilege
1. Back up your original dump program
   

   cp -p /sbin/dump /sbin/dump.bak 

2. Temporary install the un-patched dump
   

   cp /usr/local2/wsh/suid/dump.vul /sbin/dump
   chmod +s /sbin/dump
   

3. ssh your host again as a general user and try to get a root shell by exploiting the dump
   

   /usr/local2/wsh/suid/dump-exp.sh 
   /tmp/cool
   

   type "whoami" after running the /tmp/cool. Why you get a root shell after running /tmp/cool?

4. Restore the original dump program
   

   rm /tmp/cool
   rm /sbin/dump
   cp -p /sbin/dump.bak /sbin/dump
   

5. Exam the /usr/local2/wsh/suid/dump-exp.sh script and figure out
   • What is the /tmp/cool program generated by the dump-exp.sh script?
   • Why a general user can get a root shell by running the /tmp/cool program?
   • Through what environment variable, the un-patch dump program created the /tmp/cool program?
   • If we remove the suid bit of the un-patch dump program (chmod -s /sbin/dump), will the above exploit happen?

   Put your finding on your web pages.

2. LBL traceroute exploit
   1. Backup your original traceroute
      

      cp -p /usr/sbin/traceroute /usr/sbin/traceroute.bak

   2. Temporary install the un-patched traceroute
      

      cp /usr/local2/wsh/suid/traceroute.vul /usr/sbin/traceroute
      chmod +s  /usr/sbin/traceroute
      

   3. ssh your host again as a general user and try to get a root shell by exploiting the un-patch traceroute
      

      cp /usr/local2/wsh/suid/t* /tmp
      cd /tmp
      ./ttrace
      

      type "whoami" after running the ./ttrace to confirm that you got a root shell.

   4. Restore the original traceroute program

      cp -p /usr/sbin/traceroute.bak  /usr/sbin/traceroute 

   5. Exam the ttrace script and figure out
      • What parameters does the ttrace script get for the traceroute exploit program?
      • If we remove the suid bit of the un-patch /usr/sbin/traceroute program (chmod -s /sbin/traceroute), will the above exploit happen?

      Put your finding on your web pages.

References:

• Read the man page of the above commands
• Controlling Suid Root Programs

• LBL traceroute exploit