COMP 4108 Assignment 1

Due 11:59PM on Jan 31

Assignment out of 39 marks total

Submission Requirements:

For this assignment you will work individually.


You should submit the following TWO files:

  1. A PDF of your assignment report, including a cover page with the assignment details and your name with student number.
  2. A tar or zip file (yes, even if there is only a signle file included) containing any code or scripts that you wrote. Any included files must be referenced in the PDF report, else they will not be reviewed. See the General Page for instructions on how to create a tar file.

For each question, include the following (where applicable or otherwise unspecified):

  1. What you did (i.e., your answer to the question -- e.g., a command, action on a webpage, code run, etc.).
  2. How you did it (i.e., the exact command you ran to find the answer or complete an action if required -- e.g., Linux command line, area on a website that you went to, configuration, etc.).
  3. Your explanation of what you did and why you did it.
  4. The output or result of what you did, trimmed to include only the relevant output (i.e., cut out previous commands' text, un-needed text, etc.). This is often in the form of a screenshot.

Note that, depending on the question, some of the above requirements will not necessarily exist. Also, #1 and #2 from above can often be combined into a single screencap. Also note that some questions may explicitly state what to submit. This is to ensure you submit the correct information we're looking for, and the other requirements are expected as well (see list above).

These requirements may seem tedious and unnecessary; however, they are useful for markers to see that you completed each question, explained that you understood the question, and provided proof that the task was successfully completed.

Attention:

When in doubt, explain as much as you can. I need to see that you understand the answer and the process you used to get the answer. Not including an explanation or providing too little explanation may result in lost marks.


Please prefix your submission file name with your MyCarletonOne ID: e.g., johnsmith-assignment1[.zip/.tar.gz/.tar.xz]

Part A - File System Permissions (15.5 Marks)

  1. 1 Mark What is your user id (UID)? How did you determine this?
  2. 1 Mark What is your primary group name, and the corresponding group id (GID)?
  3. 0.5 Marks What is the filesystem path of the Linux group file?
  4. 1 Mark What are the permissions of the Linux group file? Give the permissions as both a 'rwx' string and the numeric octal representation. You will need to use ls command as well as the stat command.
  5. 0.5 Marks What is the GID of the root group?
  6. 0.5 Marks What is the GID of the shadow group?
  7. 4 Marks Write a bash function to convert a GID to a group name using the Linux group file. Submit both the function definition and 5 invocations.
    Use the following skeleton as a starting point:

    gidSearch() { ...; }

    Replace ... with the commands you require to find the group name for the ID. In your commands you can use the $1 token to represent the GID passed to the function as an argument. I.e. a function defined: gidSearch() { echo $1; } when run as gidSearch 100 would output users
    A correct solution will produce output similar to these example invocations:

    comp4108@node00:$ gidSearch 100
users

comp4108@node00:$ gidSearch 45
sasl
    Hint:
    Consider reading a quick tutorial on bash functions. You will likely want to use a combination of cat, grep, and cut piped together. Read the man page for each. There are many possible solutions!
  8. 2 Marks (total) List ALL directories and sub-directories in /A1/Haystack that have the following properties:
    1. 0.5 Marks Are owned by the user comp4108. Include the command used and the resulting list.
    2. 0.5 Marks Have group ownership root. Include the number of directories but NOT THE ENTIRE LIST.
      Hint: Use the wc command
    3. 0.5 Marks Are owned by the user sshd. Include the command used and the resulting list.
    4. 0.5 Marks Have permissions equal to 777. Include the command used and the resulting list.

    Hint:
    Use the find command!
  9. 1 Mark Write a command to change all the directories with permissions 777 in /A1/Haystack to have permissions 750 instead.

    Hint:
    Combine your answer to Question 8, Part D with find's -exec argument and the chmod command. You may need to prefix your find command with sudo to run it with root permissions (since you are changing permissions on directories you don't own)
  10. 2 Marks (total) In your home directory create the following directory structure using mkdir:

       top
   |--- middle
   |    |-- bottom
   |
   |--- middle_two
   |    |-- bottom_two
   |        |-- end_of_line
   |
   |--- middle_three


    1. 0.5 Marks Change the permissions of bottom and bottom_two to 664
    2. 0.5 Marks Create an empty file foo.txt in middle_three and grant the execute permission for user and group
    3. 0.5 Marks Change the ownership of top to root using the sudo and chown command
    4. 0.5 Marks Change the group of top to www-data using sudo and the chgrp command.

    Hint:
    You can save time creating the directory structure using mkdir's -p flag.
    You can quickly verify your directory structure using tree top.
  11. 2 Marks (total)
    1. 1 Mark Find all the binary files in /usr/bin with the setuid bit set.
    2. 1 Mark Using one of the binaries you found as an example, describe why it has the setuid bit enabled, and what the setuid bit accomplishes.
    Hint:
    Again, use the find command for part a.

Part B - Access Control Lists (8.5 Marks)

For Part B you will need to use getfacl, setfacl, chmod, usermod and find to manipulate the access control lists for a directory structure. Use sudo as required if you encounter permission denied errors. Consult man pages for commands to complete each question.


In /A1/Gotham you will find a directory tree as follows:

Gotham
|
|-- Arkham
|
|-- GothamPD
|
'-- WayneManor
    |
    |-- Batcave
    |
    '-- MasterBedroom


  1. 0.5 Marks Give the ACL for the top level Gotham directory.
  2. 1 Mark Use chmod to add rx permissions for the other category to Gotham and ALL its sub-directories.

    Hint:
    Use the recursive flag of chmod.
  3. 1 Mark Use setfacl to add read and write permissions to Gotham, Arkham and GothamPD for the user jgordon
  4. 1 Marks Use setfacl to add read, write, and execute permissions toWayneManor, Batcave and MasterBedroom for the user bwayne.
  5. 1 Marks Use setfacl to remove the ACL entries on Arkham for the users skyle and ocobblepot.
  6. 2 Marks Give the ACL for Gotham and all of its subdirectories.

    Hint:
    Use find's -exec argument and the getfacl command.
  7. 2 Marks ACLs help enforce which security principle(s) discussed in Chapter 1.7 of the course textbook? Give the name of the principle(s) and a brief explanation on how ACLs help enforce the principle(s). Use only P1-20 and not HP1 or HP2.

Part C - Race Conditions (15 Marks)

In this part of the assignment you will learn to exploit a classic time of check versus time of use (ToCToU) vulnerability in order to gain root access on your VM. You should prepare for this part of the assignment by reading the general description of this class of vulnerability. You may read the Wikipedia article on TOCTOU and the content from Chapter 6 of the course's textbook materials, or Safe Temporary File Use section from Computer Security: Princples and Practice by Stallings and Brown.

When answering these questions, please provide a brief narrative explaining the problem and what steps you took for the solution. Provide enough detail to demonstrate that you understand the problem and solution.


  1. In /A1/Racing/Slow you will find a vulnerable application called vuln_slow. In order to ease you into exploiting a ToCToU race condition this example vulnerable application has been written to accept two arguments: a delay in seconds and a message to write to a debug file. In order to ease the exploitation process, vuln_slow checks the permissions on its debug file, sleeps for the provided number of seconds, and then writes to the debug file. A real vulnerable program would not let you determine how long it sleeps between time of check and time of use! This is to allow you to exploit the binary with high success using manually entered commands.

    In the /A1/Racing/Slow directory you will also find a file named root_file that is owned by root and has no write permissions for any other users. Your objective is to exploit vuln_slow into writing a message you provide into root_file.

    In order to do this you will need to:
    1. Use the strace command to learn the location of the debug file that vuln_slow writes its output to. Inspect the debug file to check that the message you provided to vuln_slow was appended to the debug file.
    2. Invoke vuln_slow with a test message and a large delay, 30 to 60 seconds is recommended.
    3. While vuln_slow is sleeping, you must delete the log file it checked, and replace it with a symbolic link to root_file using the ln command.

    Provided you've followed all three steps successfully, and timed the commands right inside the sleep window, you should find your message appended to the end of root_file. Remember: Timing is everything! Use a larger sleep time and be prepared to enter the correct commands quickly, and without error.

    5 Marks Describe the exploitation process in detail, including commands invoked and a log of successfully adding a message to root_file. Include an explanation of why the attack works.
    Hint:
    This should include a discussion of the execution order, the access() system call in relation to real UIDs and effective UIDs, and a reference to setuid.

  2. Now that you've successfully exploited a toy race condition vulnerability it's time to step up the challenge. In /A1/Racing/Fast you will find the same vulnerable program (this time named vuln_fast) modified to no longer accept a sleep time argument. This program uses the same debug file location you found in Part A, Step 1 (you can verify this again using strace if you want).

    Since the vulnerability in this program does not occur after a configurable sleep you will only be able to exploit it in a probabilistic fashion by automated means. In order to aid you in this task you have been provided with two skeleton bash scripts to modify: vuln.sh and exploit.sh.

    The first script, vuln.sh, removes the debug file (to clean up from any old exploit attempts) and runs the vulnerable program in a tight loop with a high nice value (to increase your chances of exploitation, see man nice to understand why).

    The second script, exploit.sh, removes the debug file, and generates a symbolic link to a specified target in its place. This also happens in a tight loop such that exploit.sh and vuln.sh when run at the same time are competing to access the debug file (or symlink).

    Your objective for this part is to gain access to the root user by exploiting the vuln_fast program to add your username to the root user's .rhosts file to allow passwordless login using the rsh and rlogin commands.

    For an example of how this file would be used in practice, lets say the root user trusts you to log in with superuser (root) privileges without requiring a password. The root user would put your userid into HIS .rhosts file.

    But the root user of this machine does not trust you, so we are trying to exploit this behaviour. In order to do this you will need to:
    1. Edit the vuln.sh script (using nano, or another text editor) to provide it the location of the debug file
    2. Edit the vuln.sh script to give it the payload string you want written to the target file (see Hint!).
    3. Edit the exploit.sh script to provide it the location of the debug file
    4. Edit the exploit.sh script to give it the target file for your attack (See Hint!).
    5. Run the vuln.sh script in one terminal
    6. Run the exploit.sh script in another terminal
    7. Wait ~a minute and terminate both scripts by pressing Ctrl+C in the respective terminals
    8. Check if your exploit was successful by running rsh -l root localhost whoami. If it was successful you should not be asked for a password and will receive the reply root to the whoami command. Remember, if it did not work you may have to repeat steps 5 onward due to the probabilistic nature of race conditions (if it failed, you will receive a permission denied error).
    Once the exploit is successful, you can execute rsh -l root localhost bash to spawn a new superuser privileged shell with full control over the system.

    3. 8 Marks Describe the exploitation process in detail, including commands invoked and a log of you successfully gaining root privilege on the box. Include an explanation of why the attack works.
    Hint:
    This explanation should reference setuid, how rsh/rhosts is being abused, and why the nice command is needed this time.

    Hint:
    The server has been configured to allow the (very insecure) rsh and rlogin commands. The rsh command allows you to run a shell command as a specified user on a remote (or local) machine. It first checks the specified user's .rhosts file for a list of hosts and users that can execute commands without a password!

    Hmmm... Sounds juicy. If only there was a way to get localhost (since you're exploiting the local machine) and your username added to the root user's .rhosts file...

    You can learn more about the location and format of this file on the Ubuntu Manuals page.
    To find the location of root's home directoy, you can check the passwd file manual pages.
  3. 2 Marks Which security principle(s) discussed in Chapter 1.7 of the course textbook is (are) being broken and exploited? Give the name of the principle(s) and a brief explanation of how it was broken. Use only P1-20 and not HP1 or HP2.