Finger 79/tcp # John McDonald: Answers To Challenge #2

Dave G. | November 14th, 2006 | Filed Under: Guests

Login: jm                   Name: John McDonald
Directory: /guests/jm      Shell: /bin/zsh
On since Fri Nov 10 08:55:00 CDT from shaolin
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.

In the first challenge, you can see that there is a variable relationship between maxsize and ptr. maxsize is supposed to track the amount of space left in the buffer, and ptr points to the next place to write in the banner buffer. The vulnerability here is that the relationship between these variables is invalidated right after the concatenation of the origin IP string. Look at this again:

ptr += strlen(ptr);
maxsize -= strlen(ptr);

ptr is correctly updated to point past the origin IP string. However, maxsize isn’t changed, because strlen(ptr) is going to be 0. The operations were done in the wrong order; maxsize should have been updated first, before ptr was moved to point the end of the string. Thus, there is a buffer overflow possible in the vsnprintf( ) because maxsize will be off by the length of the origin IP string.

Looking at the second challenge, consider what happens when a match for the dangerous environment variable is found:

if (*vp == '\\0' && *ep++ == '=') {
char **P;

for (P = env;; ++P)
if (!(*P = *(P + 1)))
break;
}
env++;

The program eliminates this environment variable by shifting the following environment variables back one position in the env array, overwriting the “evil” variable. The problem is that, once this is accomplished, the env pointer is incremented before the search for evil environment variable continues. So, say you had this env array:

env -> LD_PRELOAD=/tmp/evil.so
LD_PRELOAD=/tmp/evil.so
TERM=vt100
MARK=lazy.australian.making.me.write.his.answers

So, it matches LD_PRELOAD and shifts the following environment variables back one to overwrite it:

env -> LD_PRELOAD=/tmp/evil.so
TERM=vt100
MARK=lazy.australian.making.me.write.his.answers

Then, it incorrectly increments env:

LD_PRELOAD=/tmp/evil.so
env -> TERM=vt100
MARK=lazy.australian.making.me.write.his.answers

Oops! Like all good bugs, this bug was originally found in Linux by Solar Designer ages ago. Astute readers may have noticed that it still affects certain modern day Internets.

Ok, the third challenge. We were shooting for a good example of an RLIMIT bug. So, the goal in this attack would be to have the write() of the very last password entry return immediately after writing the username and the colon character. This would leave the user without a defined password. On Linux, you could use RLIMIT_FSIZE to dial in the exact byte at which you wanted this to occur. This could cause the SIGXFSZ signal to be sent, but the signals were blocked. (Also, your signal mask is inherited in a suid so you could have that signal be ignored in your exploit.)

As far as the competitors go:

Adam Morrison was the only one to see where we were going with the third one. However, he didn’t answer the other two challenges, though god knows he could have easily.

So, it basically comes down to Kasperle and Mangoboy. Kasperle’s analysis was awesome, but in the end we think that mangoboy’s figured out the the more exploitable condition and his suggestion of creatively filling up the disk is plausible.

We didn’t think of that vector when crafting this challenge, though daveg came up with it along with the rlimit attack within a few minutes. So, it was a tough call, but the winner of this challenge is mangoboy.