Can I write to a read only file ?
0 likes315 views
The document discusses the security issue of writing to a read-only file due to a forgotten closure of the file descriptor by the parent process. It highlights a demonstration using a vulnerable SUID binary, 'cap_leak', which allows an unauthorized child process to write to the read-only file '/etc/zzz'. The conclusion emphasizes the importance of closing all opened files to prevent unauthorized access and manipulation.
![void main() {
int fd;
char *v[2];
/* Assume that /etc/zzz is an important system file,
* and it is owned by root with permission 0644… */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
/* Error handling code is removed to save space on the slide */
// Print out the file descriptor value
printf("fd is %dn", fd);
// Permanently disable the privilege by making the effective uid the same as the real uid
setuid(getuid());
// Execute /bin/sh
v[0] = "/bin/sh"; v[1] = 0;
execve(v[0], v, 0);
}
The file is not closed before
spawning a less privileged
child process](https://image.slidesharecdn.com/caniwritetoareadonlyfile-190502165600/85/Can-I-write-to-a-read-only-file-6-320.jpg)
Can I write to a read only file ?
- 1. Can I write to a read only file? - Oops the file was not closed Dr. Dharma Ganesan
- 2. Background and Problem ● A file is owned by the root (admin) ● Other users can read its content but cannot write to it ● An SUID Linux binary can write to that file ● The SUID binary drops the privilege before spawning a new process ○ The new process is not owned by the root ● Problem: The parent process forgot to close the file ● Can the less privileged child process write to the read only file?
- 3. /etc/zzz is owned by the root ~$ ls -al /etc/zzz -rw-r--r-- 1 root root 29 May 2 07:48 /etc/zzz Other users can read (r) it but only the root can write (w) to it.
- 4. Let’s try to write to the read only file ~$ echo "Writing to a read only file" > /etc/zzz bash: /etc/zzz: Permission denied ● Let’s find an SUID Linux binary that may have some vulnerability ● Cap_Leak is a demo example (on the next slide) ● Cap_Leak has a vulnerability we will exploit! ○ Cap_Leak will leak the file descriptor
- 5. Cap_leak can write to the /etc/zzz file ~$ ls -al cap_leak -rwsr-xr-x 1 root seed 7386 Apr 29 18:45 cap_leak ● Note: cap_leak is an SUID binary (s) ● However, other users are allowed to execute it “as a root” temporarily ● The source code of cap_leak.c is on the next slide ○ Header files are not included to save space
- 6. void main() { int fd; char *v[2]; /* Assume that /etc/zzz is an important system file, * and it is owned by root with permission 0644… */ fd = open("/etc/zzz", O_RDWR | O_APPEND); /* Error handling code is removed to save space on the slide */ // Print out the file descriptor value printf("fd is %dn", fd); // Permanently disable the privilege by making the effective uid the same as the real uid setuid(getuid()); // Execute /bin/sh v[0] = "/bin/sh"; v[1] = 0; execve(v[0], v, 0); } The file is not closed before spawning a less privileged child process
- 7. ~$ cat /etc/zzz bbbbbbbbbbbbbbbbbbbbbbbbbbbb Content of the read only file (before the attack)
- 8. Content of the read only file (after the attack) ~$ ./cap_leak fd is 3 $ echo "If we fail to close the files, someone can write to them!" >& 3 $ $ exit ~$ cat /etc/zzz bbbbbbbbbbbbbbbbbbbbbbbbbbbb If we fail to close the files, someone can write to them!
- 9. Conclusion ● This demo shows that we need to close all opened files ● Otherwise, evil processes can write to read only files ● Dropping the privilege is not enough ● Don’t assume that the child process need the file descriptor to exploit ○ File descriptors are small numbers that are easy to guess
- 10. Reference Wenliang Du. “Computer Security, A Hands-on Approach,” CreateSpace Independent Publishing Platform; 1 edition (October 12, 2017)