Set-UID Security and Buffer Overflow Exploitation

Classified in Computers

Written on in English with a size of 3.95 KB

Set-UID Privilege Management

The Set-UID approach provides the following:

  • Fine-grained access control.
  • Normal users run special programs to gain privileges and conduct privileged operations.
  • No need for a background process; therefore, it offers better performance.
  • A larger attack surface, as environment variables come from the user process.
  • A Set-UID process does not always run with root privileges; it runs with the program owner's privileges.

Process Inheritance and Shell Variables

Environment Variables in fork() and execve()

  • In the case of fork(), all environment variables from the parent process are inherited by the child process.
  • In the case of execve(), the inherited environment variables are decided based on the parameters provided to the execve() call (e.g., NULL, environ, or user-defined).

Shell Variables vs. Environment Variables

b) No, shell variables and environment variables are not the same.

  • Shell variables are local variables within the shell process.
  • The initial shell receives a copy of environment variables as its shell variables.
  • The user can define additional local shell variables if needed.
  • When a child process is created from this shell, only shell variables copied from environment variables and user-defined variables marked as export will be inherited as the child’s environment variables.

For foo1: Y – 8. For foo2: Y – 32.

Vulnerability Analysis and Network Listeners

Bob needs to set up a listener on the system to receive the response and analyze it.

  • The command does not invoke the faulty parsing logic with the substring "() { " in the vulnerable Bash.
  • The command does not convey the content type to the Apache server, which is required to receive a response.
  • The command does not use any curl parameters, like -A, -v, etc., that can set environment variables.

Buffer Overflow Technical Specifications

There is an 88-byte distance. Therefore, the 88th to 91st bytes contain the return address.

b) Address Range:

  • Lowest: 0xAABB105C + 4 (i.e., 0xAABB1060)
  • Highest: 0xAABB1004 + 300 – 32 (i.e., 0xAABB1130 – 20 = 0xAABB1110)

Three Countermeasures for Buffer Overflow Attacks

1. Address Space Layout Randomization (ASLR)

ASLR randomizes memory addresses during program execution, which makes it harder for the attacker to predict the memory locations and exploit buffer overflows.

2. Stack Guard

Stack Guard places a small known value at a strategic location on the stack between the buffer and control data for detecting buffer overflows before they can corrupt control data on the stack.

3. NX Bit

The NX Bit marks some areas of the memory as non-executable, so malicious code will not run in those protected areas.

Chaining and Return-to-LibC Attacks

Chaining Challenges

a) The challenge is that we have to chain from the epilogue to the instruction after the prologue and place the arguments in the malicious code.

b) No.

Logical Components of a Return-to-LibC Attack

Assume that we want to invoke a shell through the attack.

  • We have to find the system call address by placing it as the return address.
  • While a non-executable stack can prevent some buffer overflow exploitation, it cannot stop Return-to-LibC attacks because only existing executable code is used.
  • We use environment variables to pass the address to the string "/bin/sh".
Karma: 14%
Visits: 0

Related entries:

Tags:
Stack Guard fork Memory Safety Bash Vulnerability Environment Variables Set-UID Shell Variables Buffer Overflow Cybersecurity execve Return-to-LibC ASLR NX Bit