title: privilege-separation
date: 2016-01-12 14:40:04
categories:
tags:
- Exercise1
In order to gain deeper understanding of the internal architecture of the Touchstone web server,
let’s use gdb to debug the banksv service.First, launch the server:
$ ./touchstone- now use gdb to attach to the banksv service:
ps -a
PID TTY TIME CMD
5583 pts/0 00:00:00 touchstone
5584 pts/0 00:00:00 filesv
5585 pts/0 00:00:00 banksv
5586 pts/0 00:00:00 httpd
5771 pts/1 00:00:00 ps
gdb -q
attach 5585
b Handle_post
Breakpoint 1 at 0x80d0a2f:file handle.c,line 74
set follow-fork-mode child
c
Breakpoint 1,handle_post(uri=0xbfeac5a8 "/",fd=6)
at handle.c :74
74 char *info="HTTP/1.1 200ok
";
n
75 Body_t *b=getBody(&num);
n
77 char *name=b[0]->value;
n
78 char *pwd=b[1]->value;
n
80 char *type=b[num-1]->value;
p name
$1=0x8f894f0 "abc"
p pwd
$2=0x8f896f8 "123"
n
82 init_db();
s
init_db() at ./sql_lite3/sqlhelper.c :32
32 if(open_db()==syccess){
-
Exercise2
Finally, you will write some code. Extend the current sqlite3 user table, to add more information.
For instance, you can add time and IP address to the user table, so that when one user has logged
in, the web page can display the last login time, the current login address, etc.. You may
want to read some sqlite3 documentations. -
Firstly, we pass the value of client_addr to httpd process though by executing
write( disp_fds[1], inet_ntoa(client_addr), 50 ).
And in httpd process, as a hub, we receive this value.
Then we send this value to filesv and banksv processes respectively according to pipefd descriptor.
So that, we can process this address to the browser. -
Why we don't send it to filesv and banksv directly ?
It is just a pity that the server has shut down these descriptors before new client coming... -
Secondly, we should add additional fields for the user table.
One is the ip_addr, the other is last_time(which can record the last login time). -
Before modifying user table, we should drop it because some datas has existed in the user table.
In order to get and update the last login time and last ip address, two functions need to be implemented.- As follows :
void getLastState( const char * u_name, const char * u_passwd, char * last_ip_addr, char * last_time ){ if(open_db()==SUCCESS){ char sql[1024]; sprintf(sql, "SELECT ip_addr, time from user WHERE name = '%s' AND passwd= '%s' ", u_name, u_passwd); int row,column; char **result; char *errorMsg; if( sqlite3_get_table(db, sql, &result, &row, &column, &errorMsg)==SQLITE_OK ){ strcpy( last_ip_addr, result[2] ); strcpy( last_time, result[3] ); } else printf("getLastState error! "); sqlite3_close(db); } else{ if(DEBUG) printf("open failed![%s] ",sqlite3_errmsg(db)); } } void updateLoginState( const char * u_name, const char * u_passwd, const char * ip_addr, const char * datetime ){ if(open_db()==SUCCESS){ char sql[1024]; sprintf(sql, "UPDATE user SET ip_addr = '%s', time = '%s' WHERE name = '%s' AND passwd = '%s' ", ip_addr,datetime,u_name,u_passwd ); handle_db(db,sql); sqlite3_close(db); } else{ if(DEBUG) printf("open failed![%s] ",sqlite3_errmsg(db)); } }
- Exercise3
- Modify the code snippet in the browser.c to send a constructed HTTP request
to the web server to visit /etc/passwd file.
That is, you can read that file remotely.
修改browser.c文件中的char *req 构造请求字符串 访问/etc/shadow文件char *req="GET ../../etc/shadow HTTP/1.1 ";
- Exercise4
- Add some code to the server.c to add chroot support.
Change root directory from / to /jail .
After this, you can compile and run the new web server: - jails
chroot("/jail")
再次访问访问/etc/shadow文件
发现文件不存在
- Exercise5
- Modify your browser code to inject some shell code the server.
Your shell code attack the httpd daemon and unlink the file /db/users.db.
Using ret-to-libc attack can make this a little simpler.ebp+4 system地址 ebp+8 exit地址 ebp+12 rm db/users.db地址
- Exercise6
- Modify the function in the file server.c , to set up the user and group IDs properly
when services are launched. Think carefully about how your code can set the user and group IDs by
setresuid()、setgroups()、setresgid(). - Set file and directory permissions to ensure that the static service
cannot read the database files from the dynamic service, and vice versa.
Try to modify the chroot-setup.sh to set the permission for different files.