 |
|
| Linux Forum Index » Linux Security » Linux command injection problem... |
|
Page 1 of 1 |
|
| Author |
Message |
| Der_Kanzler... |
 Posted: Sat Jun 06, 2009 2:06 am |
|
|
|
Guest
|
Hello guys,
I have got a problem testing out a Linux Command injection. I wanted
to test it myself with a self-programmed code with this vulnerability
included, whose basic structure I got from the OWASP wiki (see at the
bottom for the source).
I SUID-ed the program file I created (rwsr-xr-x; owner is root), added
a new user and then tried to inject commands with this user.
But that didn't work because when I call the program with for
example: ./program "ls; cat /etc/shadow" (to use OWASP's suggestion),
then it tells me "cat: /etc/shadow: Permission denied".
It appears as if the program runs correctly and that the cat /etc/
shadow command gets invoked after the script already terminated, thus
getting invoked with the rights of the user and thus the permission is
denied. That would signal that the injection didn't work ... but I
don't know any other possibility to do it?
Can anybody point me to something?
The Source:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char command[256];
memset(&command, 0, sizeof(command));
strcat(command, "time ./");
strcat(command, argv[1]);
system(command);
return 0;
} |
|
|
| Back to top |
|
|
|
| Peter van Hooft... |
| Posted: Sat Jun 06, 2009 1:31 pm |
|
|
|
Guest
|
On 2009-06-06, Der_Kanzler <osmo.sis at (no spam) lycos.com> wrote:
Quote: Hello guys,
I have got a problem testing out a Linux Command injection. I wanted
to test it myself with a self-programmed code with this vulnerability
included, whose basic structure I got from the OWASP wiki (see at the
bottom for the source).
I SUID-ed the program file I created (rwsr-xr-x; owner is root), added
a new user and then tried to inject commands with this user.
But that didn't work because when I call the program with for
example: ./program "ls; cat /etc/shadow" (to use OWASP's suggestion),
then it tells me "cat: /etc/shadow: Permission denied".
It appears as if the program runs correctly and that the cat /etc/
shadow command gets invoked after the script already terminated, thus
getting invoked with the rights of the user and thus the permission is
denied. That would signal that the injection didn't work ... but I
don't know any other possibility to do it?
Can anybody point me to something?
The Source:
#include <stdlib.h
#include <stdio.h
#include <string.h
int main(int argc, char **argv)
{
char command[256];
memset(&command, 0, sizeof(command));
strcat(command, "time ./");
strcat(command, argv[1]);
system(command);
return 0;
}
Try to set the uid with setuid(0):
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char command[256];
memset(&command, 0, sizeof(command));
seteuid(0);
strcat(command, "time ./");
strcat(command, argv[1]);
system(command);
return 0;
} |
|
|
| Back to top |
|
|
|
| Lew Pitcher... |
| Posted: Sat Jun 06, 2009 1:50 pm |
|
|
|
Guest
|
On June 6, 2009 15:31, in comp.os.linux.security, Peter van Hooft
(pjvh at (no spam) xs4all.nl) wrote:
Quote: On 2009-06-06, Der_Kanzler <osmo.sis at (no spam) lycos.com> wrote:
Hello guys,
I have got a problem testing out a Linux Command injection. I wanted
to test it myself with a self-programmed code with this vulnerability
included, whose basic structure I got from the OWASP wiki (see at the
bottom for the source).
I SUID-ed the program file I created (rwsr-xr-x; owner is root), added
a new user and then tried to inject commands with this user.
But that didn't work because when I call the program with for
example: ./program "ls; cat /etc/shadow" (to use OWASP's suggestion),
then it tells me "cat: /etc/shadow: Permission denied".
It appears as if the program runs correctly and that the cat /etc/
shadow command gets invoked after the script already terminated, thus
getting invoked with the rights of the user and thus the permission is
denied. That would signal that the injection didn't work ... but I
don't know any other possibility to do it?
Can anybody point me to something?
[snip]
Try to set the uid with setuid(0):
#include <stdlib.h
#include <stdio.h
#include <string.h
int main(int argc, char **argv)
{
char command[256];
memset(&command, 0, sizeof(command));
seteuid(0);
Qouth the manual entry for seteuid:
"Unprivileged user processes may only set the effective user ID to the
real user ID, the effective user ID or the saved set-user-ID."
So, for an unpriviledged user, the above code will work only if the real
user ID or saved set-user-ID was 0. But, if the real user ID or saved
set-user-ID was 0, then this code is being executed by root, who is not an
unpriviledged user.
Quote: strcat(command, "time ./");
strcat(command, argv[1]);
system(command);
return 0;
}
--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------ |
|
|
| Back to top |
|
|
|
| David W. Hodgins... |
| Posted: Sat Jun 06, 2009 2:24 pm |
|
|
|
Guest
|
On Sat, 06 Jun 2009 08:06:43 -0400, Der_Kanzler <osmo.sis at (no spam) lycos.com> wrote:
Quote: Can anybody point me to something?
system(command);
From "man system" ...
Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange
values for some environment variables might be used to subvert system integrity. Use the
exec(3) family of functions instead, but not execlp(3) or execvp(3). system() will not, in
fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on
which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a mod‐
ified bash which does not do this when invoked as sh.)
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.) |
|
|
| Back to top |
|
|
|
| Der_Kanzler... |
| Posted: Mon Jun 08, 2009 11:24 am |
|
|
|
Guest
|
Hello,
thanks for allthe replies ... and especially to pointing that out, I
didn't know...
However, with execv() or execl() I don't seem to be able to execute
that command (and then inject an own one) properly, because it tells
me that "the argument for execv is of an incompatibe pointer
type" (even though if I'm able to supply a path for the command, which
I have now chosen to be ls, because I don't know the path for time())?
How do I get the functionality from the system()-command above with
the exec()-type of command?
kind regards
DK
On 6 Jun., 22:24, "David W. Hodgins" <dwhodg... at (no spam) nomail.afraid.org>
wrote:
Quote: On Sat, 06 Jun 2009 08:06:43 -0400, Der_Kanzler <osmo.... at (no spam) lycos.com> wrote:
Can anybody point me to something?
system(command);
From "man system" ...
Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange
values for some environment variables might be used to subvert system integrity. Use the
exec(3) family of functions instead, but not execlp(3) or execvp(3). system() will not, in
fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on
which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a mod‐
ified bash which does not do this when invoked as sh.)
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.) |
|
|
| Back to top |
|
|
|
| Marcel Bruinsma... |
| Posted: Mon Jun 08, 2009 5:44 pm |
|
|
|
Guest
|
Der_Kanzler wrote:
Quote: However, with execv() or execl() I don't seem to be able to execute
that command (and then inject an own one) properly, because it tells
me that "the argument for execv is of an incompatibe pointer
type"
less /usr/include/unistd.h
Look for 'exec[lv]', notice the __const in the declarations of
those functions. Gcc insists that the parameters you pass
to exec* adhere to the declarations in unistd.h.
The time command is a shell built-in. To emulate it,
you can use clock_gettime(3), e.g.:
clock_gettime(CLOCK_MONOTONIC, &start);
<fork() and exec()>
<waitpid() or wait4()>
clock_gettime(CLOCK_MONOTONIC, &end);
delta = timespec_sub(end, start);
Assuming you're still just interested in real time duration;
otherwise, use the information from wait4(2). See also
/usr/include/bits/resource.h.
--
printf -v email $(echo \ 155 141 162 143 145 154 155 141 162 \
143 145 154 100 157 156 154 151 156 145 56 156 154 | tr \ \\)
# O Herr, lass Hirn vom Himmel fallen! # |
|
|
| Back to top |
|
|
|
| Marcel Bruinsma... |
| Posted: Tue Jun 09, 2009 2:54 am |
|
|
|
Guest
|
Der_Kanzler wrote:
#include <sys/types.h>
#include <unistd.h>
Quote: #include <stdlib.h
#include <stdio.h
#include <string.h
int main(int argc, char **argv)
{
char command[256];
memset(&command, 0, sizeof(command));
strcat(command, "time ./");
strcat(command, argv[1]);
??? Perhaps replace by:
if (--ac) {
strcat(command, *++argv);
while (--ac) {
strcat(command, " ");
strcat(command, *++argv);
}
setuid(geteuid());
Quote: system(command);
return 0;
}
return 1;
Make sure the suid command does not have x-permission
for anyone but you, the owner of that binary exutable.
--
printf -v email $(echo \ 155 141 162 143 145 154 155 141 162 \
143 145 154 100 157 156 154 151 156 145 56 156 154 | tr \ \\)
# O Herr, lass Hirn vom Himmel fallen! # |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Wed Dec 02, 2009 8:09 am
|
|