Scribd
Upload
44 views21 pages

S02 SetUIDEnviromentvariables

The document discusses the challenges of allowing normal users to change their passwords in Linux due to the permissions of the /etc/shadow file, which is writable only by root. It explains the Set-UID concept, which allows users to run programs with elevated privileges, and highlights the security risks associated with environment variables and the dynamic linker, particularly how they can be exploited through LD_PRELOAD. The document emphasizes the importance of securing these mechanisms to prevent unauthorized access and code injection.

Uploaded by

Nayla Greige
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
44 views21 pages

S02 SetUIDEnviromentvariables

The document discusses the challenges of allowing normal users to change their passwords in Linux due to the permissions of the /etc/shadow file, which is writable only by root. It explains the Set-UID concept, which allows users to run programs with elevated privileges, and highlights the security risks associated with environment variables and the dynamic linker, particularly how they can be exploited through LD_PRELOAD. The document emphasizes the importance of securing these mechanisms to prevent unauthorized access and code injection.

Uploaded by

Nayla Greige
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

Set-UID Privileged

Programs
• The Password Dilemma
In Linux, users' passwords are stored in /etc/shadow (the shadow file).
If a user changes his or her password, the shadow file will be modified
to store the new passwords. A closer look at the shadow file shows that
the file is only writable to root, not to normal users. See the following:

The question is how to allow normal users to change their passwords. We


have a dilemma: changing passwords requires changing the shadow file, but
the file is not modifiable by normal users.
Need for Privileged Programs
• Password Dilemma
• Permissions of /etc/shadow File:

• How would normal users change their password?


Set-UID Concept
• Allow user to run a program with the program owner’s privilege.
• Allow users to run programs with temporary elevated privileges
• Example: the passwd program
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 41284 Sep 12 2012 /usr/bin/passwd
When a file has the Set-UID bit set, any user who runs the file will temporarily gain the file
owner’s permissions. For example, if a program owned by the root user has the Set-UID bit set,
any user running that program will execute it with root privilege
Set-UID Concept
• Every process has two User IDs.
• Real UID (RUID): Identifies real owner of process
• Effective UID (EUID): Identifies privilege of a process
• Access control is based on EUID
• When a normal program is executed, RUID = EUID, they both equal
to the ID of the user who runs the program
• When a Set-UID is executed, RUID ≠ EUID. RUID still equal to the
user’s ID, but EUID equals to the program owner’s ID.
• If the program is owned by root, the program runs with the root privilege.
Turn a Program into Set-UID
• Change the owner
of a file to root :

• Before Enabling Set-


UID bit:

• After Enabling the


Set-UID bit :
How it Works
A Set-UID program is just like any other program, except that it has a
special marking, which a single bit called Set-UID bit
Example of Set UID

Not a privileged program

Become a privileged program

It is still a privileged
program, but not the root
privilege
Environment Variables
&
Attacks
Environment variables
Environment variables are like settings for your computer programs. They
are pairs of names and values used to configure how programs run. For
example, an environment variable might tell a program where to find files
or what settings to use.
Name and Value: Each variable has a name (like `PATH`) and a value (like `/usr/bin:/bin`).

Configuration: They help programs know where to find things or how to behave.

Security: They are often used to store sensitive info like passwords safely.

Setting and Accessing: You can set them in your system settings or scripts, and programs can read them to adjust

their behavior.
In short, they help programs run correctly by giving them important
information from outside their code.
Environment Variables
• A set of dynamic name-value pairs stored inside a process;
• Affect the way that a running process will behave
• Introduced in Unix and also adopted by Microsoft Windows
• Example: PATH environment variable provides a list of directories
where executable programs are stored.
• When a shell process executes a program, it uses this environment variable to find
where the program is, if the full path of the program is not provided.
How to Access Environment
Variables

From the main function

More reliable way:


Using the global variable
How Does a process get Environment
Variables?
• Process can get environment variables one of two ways:
• If a new process is created using fork() system call, the child process will
inherits its parent process’s environment variables.
• If a process runs a new program in itself, it typically uses execve() system call.
In this scenario, the memory space is overwritten and all old environment
variables are lost. execve() can be invoked in a special manner to pass
environment variables from one process to another.

• Passing environment variables when invoking execve() :


What is Dynamic Linker
• The dynamic linker is responsible for loading shared libraries needed by a
program at runtime, and if not properly secured. This process happens at
runtime, meaning while the program is running.
• LD_PRELOAD contains a list of shared libraries which will be searched first
by the linker
• LD_LIBRARY_PATH tells the system where to look for shared libraries
• If not all functions are found, the linker will search among several lists of
folder including the one specified by LD_LIBRARY_PATH
• Both variables can be set by users, so it gives them an opportunity to
control the outcome of the linking process
Attacks via Dynamic Linker: Case
Study 1
• If a program is a privileged Set-UID program, the use of these environment
variables by the dynamic linker may lead to security breaches. We use an
example to demonstrate the potential problem.
• LD_PRELOAD Exploits
What It Is:
• LD_PRELOAD lets you load a specific library before others. This can be used to
insert custom or malicious code.
How It’s Exploited:
• An attacker creates a malicious library.
• They set LD_PRELOAD to point to their library.
• When a program runs, it uses the attacker’s library instead of the intended
one.
Attacks via Dynamic Linker: Case
Study 1
Example 1 – Normal Programs:
• The following program simply calls the sleep () function, which is present in libc .
so, the standard libc shared library. Program calls sleep function which is
dynamically linked:

• Now we implement our own sleep() function:


Attacks via Dynamic Linker: Case
Study 1
Example 1 – Normal Programs ( continued ):
• We need to compile the above code, create a shared library and add the shared
library to the LD_PRELOAD environment variable
Attacks via Dynamic Linker
Let’s verify the countermeasure
• Make a copy of the env program and make it a Set-UID program :

• Export LD_LIBRARY_PATH and LD_PRELOAD and run both the programs:

Run the original


env program

Run our env


program
Attacks via Environment Variables
• Behavior can be influenced by inputs that are not visible inside a
program.
• Environment Variables : These can be set by a user before running a
program.
• Dynamic Linker: Loads shared libraries for programs.
• Attacks: Include using LD_PRELOAD to inject malicious code, hijacking
functions, and exploiting library paths.
• Protection: Avoid using insecure paths, keep your system updated,
and use sudo properly.

You might also like