adam comella jay smith
TRANSCRIPT
![Page 1: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/1.jpg)
Adam ComellaJay Smith
![Page 2: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/2.jpg)
Users and groups File and directory permissions Processes Set user ID Race conditions Interprocess communication Signals
![Page 3: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/3.jpg)
Portable Operating System Interface for UNIX
100% POSIX CompliantAIX
Mac OS XHP‐UXMINIXSolaris
UnixWare
Mostly POSIX CompliantGNU + Linux
Free, Open, and NetBSDOpenSolaris
![Page 4: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/4.jpg)
Hard disk drives
Serial ports
RAM
“UNIX is simple. It just takes a genius to understand its simplicity.” –Dennis Ritchie
![Page 5: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/5.jpg)
Many users share a single system’s resources
IssuesPrevent users from reading each others’ emailKeep each user’s processes separateEnsure each user has a fair share of the available resources
![Page 6: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/6.jpg)
6
users are designated by a username and a user id (UID) computer users work with usernames behind the scenes, Unix works with UID’s
the superuser a special user who has access to nearly everything always has UID 0 usually has the username root
![Page 7: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/7.jpg)
7
user information is contained in /etc/passwd columns of the passwd file:
name, password, UID, primary GID, full name, home, shell
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shsync:x:4:65534:sync:/bin:/bin/syncman:x:6:12:man:/var/cache/man:/bin/shmail:x:8:8:mail:/var/mail:/bin/shsyslog:x:101:103::/home/syslog:/bin/falsejay:x:1000:1000:Jay,,,:/home/jay:/bin/bash
![Page 8: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/8.jpg)
8
users belong to 1 or more groups groups allow administrators to concisely refer to multiple related users
group information is contained in /etc/group columns of the group file:
name, password, GID, usersroot:x:0:daemon:x:1:nogroup:x:65534:man:x:12:mail:x:8:syslog:x:103:adm:x:4:jay
![Page 9: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/9.jpg)
9
multiple users can have the same UID for most purposes, they are the same user if an attacker can write to the passwd file, he can add his own superuser account
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shsyslog:x:101:103::/home/syslog:/bin/falsejay:x:1000:1000:Jay,,,:/home/jay:/bin/bash...john::0:0:john:/home/john:/bin/bash
anothersuperuser
![Page 10: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/10.jpg)
A file is owned by a single user A file is also shared among a single group
Output of the ls utility using the -l (long output) option
![Page 11: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/11.jpg)
r = read permissionw = write permissionx = execute permission
![Page 12: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/12.jpg)
b = block devicec = character deviced = directory
l = symbolic links = unix socketp = named pipe
Special file indicators
![Page 13: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/13.jpg)
Directories are themselves special files that contain a list of filenames and inode numbers
Read permissionThe filenames can be read from the directory
Write permissionChanges can be made to the list of filenames including removal and insertion
Execute permissionThe files can be stat()edCan chdir() into the directory
![Page 14: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/14.jpg)
In order to prevent a user from unlink()inga file which they do not own, the sticky bit can be used
This is denoted by the character ‘t’ in place of the ‘x’
The /tmp directory needs to leverage the sticky bit
![Page 15: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/15.jpg)
15
What should the permissions be on the passwd file? ‐????????? root root /etc/passwd
![Page 16: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/16.jpg)
16
What should the permissions be on the passwd file? ‐????????? root root /etc/passwd
Users need to change their own passwords
![Page 17: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/17.jpg)
17
What should the permissions be on the passwd file? ‐???????w? root root /etc/passwd
![Page 18: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/18.jpg)
18
What should the permissions be on the passwd file? ‐???????w? root root /etc/passwd
But now any user can add a new superuseraccount!
![Page 19: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/19.jpg)
19
Everybody can read /etc/passwd but only rootcan write to it: ‐rw‐r‐‐r‐‐ root root /etc/passwd
But how do users change their passwords?
![Page 20: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/20.jpg)
20
The password changing program has special permissions
The program runs with root privileges ‐rwsr‐xr‐x root root /usr/bin/passwd
This “s” shows that the setuid bit is set This is what makes the program run as root
![Page 21: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/21.jpg)
21
When the setuid permissions bit is set, the program runs as the user that owns the file
process’ effective UID = UID of file’s user example:
‐rwsr‐xr‐x root root /usr/bin/passwd
file’s usersetuid bitis set
![Page 22: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/22.jpg)
22
Analogous to setuid but setgid is for groups When the setgid permissions bit is set, the program runs as the group that owns the file
process’ effective GID = GID of file’s group example:
‐rwxr‐sr‐x root crontab /usr/bin/crontab
file’s groupsetgid bitis set
![Page 23: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/23.jpg)
A process is an instance of an executable program
Processes come into existence by being executed by other processes
There are several important attributes associated with processes Process ID Real UID, effective UID, saved set‐UID Real GID, effective GID, saved set‐GID Open file descriptors Many more
![Page 24: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/24.jpg)
When a process creates another process, the new (child) process inherits several of its attributes from its parent Open fds Real user/group IDs Pending signals Resource limits Many more
![Page 25: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/25.jpg)
25
The real UID is the UID of the userwho started the process
The effective UID is the UID that is used when checking user privileges of the process effective UID is usually equal to the real UID setuid binaries are a special case▪ the effective UID can differ from the real UID
The saved set‐user‐ID is the same as the effective UID when the process launches
![Page 26: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/26.jpg)
26
The real GID is the GID of the primary group of the user who started the process
The effective GID is the GID that is used when checking group privileges of the process effective GID is usually equal to the real GID setgid binaries are a special case▪ the effective GID can differ from the real GID
The saved set‐group‐ID is the same as the effective GID when the process is launched
![Page 27: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/27.jpg)
27
Processes have the rights of the superuser if and only if their effective UID = 0
Having the effective GID = 0 does not give a process superuser rights programmers sometimes forget the above point is true which leads to bugs
![Page 28: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/28.jpg)
28
Functions can fail if a process runs out of resources programmers may forget to check if functions fail function failures may lead to an exploitable code path
You can lower the resource limits to make these failures happen
![Page 29: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/29.jpg)
29
Some limits you can adjust: the size of the largest file that can be created the maximum number of open files the maximum amount of CPU time the process can use
the maximum number of simultaneous processes for the process’ real UID
see man setrlimit for more
![Page 30: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/30.jpg)
![Page 31: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/31.jpg)
Because UNIX was designed to be a multiuser and multitasking operating system, users and processes must share some of the system’s resources
There are many preemptable resources on a computing system Main Memory CPU time
![Page 32: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/32.jpg)
Ordinarily, there are far more processes running on a UNIX system then there are processing cores
Each process gets a certain amount of CPU time before it is suspended (preempted) by the kernel to allow other processes a chance to run Processes can yield voluntarily in several ways Certain system calls can cause the process to be suspended. These are called blocking syscalls. E.g. read() and write()
![Page 33: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/33.jpg)
A race condition is an anomaly that can affect electronic circuits or software Multi‐core CPUs and GPUs Database management systems
Race conditions in software can lead to unwanted and unanticipated states Incorrect values in memory Security vulnerabilities
![Page 34: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/34.jpg)
![Page 35: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/35.jpg)
It is not uncommon for important and well supported software to have race condition related problems sendmail Web apps that use AJAX
![Page 36: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/36.jpg)
One type of race condition that is prevalent is Time Of Check To Time Of Use, abbreviated TOCTTOU [tock‐too]
A setuid‐root binary with an access()/open() TOCTTOU flaw
![Page 37: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/37.jpg)
![Page 38: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/38.jpg)
Directory layout for attack
Questions to ponder:Why does the attack succeed on the first try, but fail on subsequent attempts?
Why no just link directly with /etc/passwd and /etc/shadow?
![Page 39: Adam Comella Jay Smith](https://reader030.vdocument.in/reader030/viewer/2022012600/6197446e3a866476b76b7f3f/html5/thumbnails/39.jpg)
In order to ensure that the call to access() blocks, a very deep directory structure is used Called a maze. Can be thousands of directories deep.
The link to the file is placed at the very end of the maze