Exploitation 153A string is read until a null byte is encountered, so the entire string is
written to the file as the userinput. Since this is a suid root program, the file
that is created is owned by root. This also means that since the filename can
be controlled, data can be appended to any file. This data does have some
restrictions, though; it must end with the controlled filename, and a line with
the user ID will be written, also.
There are probably several clever ways to exploit this type of capability.
The most apparent one would be to append something to the /etc/passwd
file. This file contains all of the usernames, IDs, and login shells for all the
users of the system. Naturally, this is a critical system file, so it is a good idea
to make a backup copy before messing with it too much.
reader@hacking:~/booksrc $ cp /etc/passwd /tmp/passwd.bkup
reader@hacking:~/booksrc $ head /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
reader@hacking:~/booksrc $
The fields in the /etc/passwd file are delimited by colons, the first field
being for login name, then password, user ID, group ID, username, home
directory, and finally the login shell. The password fields are all filled with
the x character, since the encrypted passwords are stored elsewhere in a
shadow file. (However, this field can contain the encrypted password.)
In addition, any entry in the password file that has a user ID of 0 will be given
root privileges. That means the goal is to append an extra entry with
both root privileges and a known password to the password file.
The password can be encrypted using a one-way hashing algorithm.
Because the algorithm is one way, the original password cannot be recreated
from the hash value. To prevent lookup attacks, the algorithm uses a salt
value, which when varied creates a different hash value for the same input
password. This is a common operation, and Perl has a crypt() function that
performs it. The first argument is the password, and the second is the salt
value. The same password with a different salt produces a different salt.
reader@hacking:~/booksrc $ perl -e 'print crypt("password", "AA"). "\n"'
AA6tQYSfGxd/A
reader@hacking:~/booksrc $ perl -e 'print crypt("password", "XX"). "\n"'
XXq2wKiyI43A2
reader@hacking:~/booksrc $
Notice that the salt value is always at the beginning of the hash. When a
user logs in and enters a password, the system looks up the encrypted password