Challenge 2: Program Exploitation – Secgroup Ca' Foscari

Goal

Find the password of /home/rookie/Challenge2/pwdChallenge in testbed, running as user rookie (see the note below). In order to run the program you need to change the current directory to /home/rookie/Challenge2

$ cd /home/rookie/Challenge2

$ ./pwdChallenge 
Insert password: test 
Password should be 15 chars
Error: wrong password!

The password is contained in file pwd.txt which belongs to a different user and is accessible only by program pwdChallenge (thanks to a setgid permission that we will study in a different class).

NOTE: Since you can run the docker image locally you can become root and read the file. This is NOT considered a valid solution! Your task it to find an attack that leaks the password running as rookie.

IMPORTANT NOTE: Trying attacks like the one in this challenge on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.

White box attack scenario

The source code of the program is available. This is usually referred to as a white box attack scenario: the attacker can review the source code to spot vulnerabilities.

Show source code

/*
 * Challenge: program exploitation
 *
 * Course "Sicurezza", undergraduate degree in Computer Science
 * Ca' Foscari University, Venice
 * https://secgroup.dais.unive.it/teaching/sicurezza/
 *
 * Author: Riccardo Focardi
 *
 * Task: discover the password
 *
 * compile with
 * gcc pwdChallenge.c -o pwdChallenge 
 *
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define PWDLEN 16 // max PWD len without NULL terminator
#define PWDFILE "pwd.txt"

char *buffer1;        // buffer for stored password
char buffer2[PWDLEN]; // buffer of size PWDLEN for typed pwd

/* 
 * exits with an error message 
 */
void die(char *s) {
    printf("Error: %s\n",s); fflush(stdout);
    free(buffer1);
    exit(EXIT_FAILURE);
}

/*
 * Reads PWD from PWDFILE and stores it in buffer1
 */
void *readPwd() {
    FILE *f;
    char c;
    int i;

    buffer1 = malloc(PWDLEN); // allocates PWDLEN chars

    f = fopen(PWDFILE, "r");
    if(f == NULL)
        die("cannot open password file");

    for (i=0;i<PWDLEN-1 && (c = fgetc(f)) != EOF;i++) {
        buffer1[i] = c;
    }
    buffer1[i] = '\0'; // null-terminates the buffer

    fclose(f);
}

/*
 * Reads password from terminal
 * NOTE: we removed gets as it is risky! 
 * We use getchar and check the length instead!
 */
void askPwd() {
    char c;
    int i;

    printf("Insert password: ");
    fflush(stdout);

    // zeroes the buffer2
    memset(buffer2,'\0',PWDLEN);

    // gets is risky we use a loop!!!
    // gets(buffer2); 
    // Reads at most PWDLEN chars!
    for (i=0;i<=PWDLEN && (c=getchar())!=EOF && c!='\n'; i++) {
        buffer2[i]=c; 
    }
}

int main(int argc, char *argv[]) {
    readPwd(); // reads stored PWD in buffer1

    // Debug:
    // printf("%p %p %p \n",&buffer1,&buffer2,buffer1);

    askPwd(); // reads user PDF in buffer2

    // Debug:
    // printf("%p %p %p \n",&buffer1,&buffer2,buffer1);

    // compares buffers, comparison is done up to
    // PWDLEN-1 so it does not matter if strings
    // are null-terminated!
    if (strncmp(buffer1, buffer2, PWDLEN-1) == 0) {
        printf("Authenticated!\n"); fflush(stdout);
        free(buffer1);
        exit(EXIT_SUCCESS);
    } else {
        // Debug:
        // printf("Wrong password: buffer1(%s), buffer2(%s)\n",buffer1,buffer2);
        if (strlen(buffer1) != strlen(buffer2)) {
            printf("Password should be %ld chars\n",strlen(buffer1));
        }
        die("wrong password!");
    }
}

Tasks

Challenge is solvable with a simple python script, but getting to the right solution is nontrivial. You need to solve the challenge by taking individual tasks as suggested below.

Task 1: find the bug

Study the source code and try to understand how the program works and what code is wrong. Once you spot the bug try various inputs and observe the (buggy) output. (Hint: comments will guide you 😅)

task 2: understand the bug

In order to understand the consequences of the bug you have two alternatives:

Using gdb (see here how to run gdb in docker). Notice that gdb will run as user rookie and won’t be able to open file pwd.txt. So, to debug the program, you need to make a copy of the executable in a folder where you have write permissions (e.g. /home/rookie/Challenge2copy) and create a pwd.txt file containing a single word of at most 15 chars, without newline. The program will read your password but the behaviour will be identical to the original program.

Recompiling the program. Since you have the source code, you can recompile the program (even adding some debug printf code!). Even in this case you need to create your own pwd.txt file. You can then both debug (with gdb) and analyze the recompiled executable.

Taks 3: exploiting the bug

Once you understand the bug and its consequences you need to find a strategy to exploit it. Try the idea by hand and then use python to run the full attack.

You order to speed-up scripting the attack you can take inspiration from the interacting with programs lab!

In bocca al lupo! 😁

Bonus

Send me and @Alvise Favero on slack the script used to the attack with an accurate description of how you solved the challenge by 5 November 2024 to get a 0.5 bonus on the final grade! The report should illustrate the step you followed to solve the challenge: once you have solution, repeat the steps and document them even using screenshots, pieces of code, … Make your reports “beautiful to read” ! 😁