Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Can I write to a read only file ?
1. Can I write to a read only file?
- Oops the file was not closed
Dr. Dharma Ganesan
2. Background and Problem
● A file is owned by the root (admin)
● Other users can read its content but cannot write to it
● An SUID Linux binary can write to that file
● The SUID binary drops the privilege before spawning a new process
○ The new process is not owned by the root
● Problem: The parent process forgot to close the file
● Can the less privileged child process write to the read only file?
3. /etc/zzz is owned by the root
~$ ls -al /etc/zzz
-rw-r--r-- 1 root root 29 May 2 07:48 /etc/zzz
Other users can read (r) it but only the root can write (w) to it.
4. Let’s try to write to the read only file
~$ echo "Writing to a read only file" > /etc/zzz
bash: /etc/zzz: Permission denied
● Let’s find an SUID Linux binary that may have some vulnerability
● Cap_Leak is a demo example (on the next slide)
● Cap_Leak has a vulnerability we will exploit!
○ Cap_Leak will leak the file descriptor
5. Cap_leak can write to the /etc/zzz file
~$ ls -al cap_leak
-rwsr-xr-x 1 root seed 7386 Apr 29 18:45 cap_leak
● Note: cap_leak is an SUID binary (s)
● However, other users are allowed to execute it “as a root” temporarily
● The source code of cap_leak.c is on the next slide
○ Header files are not included to save space
6. void main() {
int fd;
char *v[2];
/* Assume that /etc/zzz is an important system file,
* and it is owned by root with permission 0644… */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
/* Error handling code is removed to save space on the slide */
// Print out the file descriptor value
printf("fd is %dn", fd);
// Permanently disable the privilege by making the effective uid the same as the real uid
setuid(getuid());
// Execute /bin/sh
v[0] = "/bin/sh"; v[1] = 0;
execve(v[0], v, 0);
}
The file is not closed before
spawning a less privileged
child process
8. Content of the read only file (after the attack)
~$ ./cap_leak
fd is 3
$ echo "If we fail to close the files, someone can write to them!" >& 3
$
$ exit
~$ cat /etc/zzz
bbbbbbbbbbbbbbbbbbbbbbbbbbbb
If we fail to close the files, someone can write to them!
9. Conclusion
● This demo shows that we need to close all opened files
● Otherwise, evil processes can write to read only files
● Dropping the privilege is not enough
● Don’t assume that the child process need the file descriptor to exploit
○ File descriptors are small numbers that are easy to guess
10. Reference
Wenliang Du. “Computer Security, A Hands-on Approach,” CreateSpace
Independent Publishing Platform; 1 edition (October 12, 2017)