Yesterday i got an unexpected PM from one of the users, g00bER.
It only consists of a single line with a kind note
Quote from g00bER
You might want to check /root/g00ber_was_here_too on warchall.net ;-)
Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:
`ed Plaintext code for g00ber_was_here_too
This is another root... g00r00t, originally known as g00bER! :-)
Getting the root-level access in a wargame is a nice cherry on the top of the cake and the most rewarding one... and it wasn't any different in this case.
Now, how did I do that? The magic trick was a race condition on the level5 daemon (probably applicable to level6 too; didn't really try):
- It creates a file in user's homedir and changes the ownership and permissions for the file to that user.
- Ding, that smells like a race condition -- you can replace the file by a (hard)link to some sensitive file between its creation and the permissions/ownership modification.
- A suitable file could be /etc/passwd -- owning that one sounds like owning the machine; which is what I did; adding a new root-equivalent account.
A crude "proof of concept" code can be found in /home/user/g00ber/level/5; it's not perfect since it doesn't wait for the access rights to be set (to the weird value) before trying the race -- this widens the window, but has the adverse effect of putting weird permissions on /etc/passwd.
How to prevent it from happening in the future?
- It might be better to use fchmod/fchown (you know which file you're modifying at that time; since it's the same one you've been writing to) rather than chmod/chown. Of course, the file creation should be done in O_EXCL | O_CREAT mode.
- Also, having the user-writable files on one partition and the "important stuff" on another one helps with preventing hardlink-based attacks quite well.
- Probably the safest option is to create the "solution" files in a different place -- one that the user doesn't have write access to.
All the modifications should be back to their original state (i.e. ownership of /etc/passwd restored, g00r00t account removed); I'm sorry if I forgot something.
Also, there are a few ways of circumventing the sudosh thingy:
Okay, enough babbling for now -- if you want to discuss this hack or anything else, feel free to PM me.
g00bER, 2012-05-08, 01:30 GMT
This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.
Very well done!