0

I am referring the following article learning symbolic link attacks:

struct stat st;
FILE * fp;
if (argc != 3) {
 fprintf (stderr, "usage : %s file message\n", argv [0]);
 exit(EXIT_FAILURE);
}

if (stat (argv [1], & st) < 0) {
 fprintf (stderr, "can't find %s\n", argv [1]);
 exit(EXIT_FAILURE);
}

if (st . st_uid != getuid ()) {
 fprintf (stderr, "not the owner of %s \n", argv [1]);
 exit(EXIT_FAILURE);
}

if (! S_ISREG (st . st_mode)) {
 fprintf (stderr, "%s is not a normal file\n", argv[1]);
 exit(EXIT_FAILURE);
}

sleep (25);

if ((fp = fopen (argv [1], "w")) == NULL) {
  fprintf (stderr, "Can't open\n");
  exit(EXIT_FAILURE);
}
 
fprintf (fp, "%s\n", argv [2]);
fclose (fp);
fprintf (stderr, "Write Ok\n");
exit(EXIT_SUCCESS);

Now when the program sleeps I rm the arg[1] (using another terminal ) which is the file name and then create a symbolic link for the same file. When I executed as its said in the article I am writing to the file the link is pointing into.

Then I used strace passed the same arguments its giving me "cant open" which means that I dont have access to the file passed as arg[1]. But this is not the case when I executed normally how is strace detecting this ? Any help is very valuable.

I am writing my own application using ptrace to detect such attacks. I tried using inode numbers to detect this but my application is still referring to the inode number of the file which I am passing.

Community
  • 1
  • 1
kidd0
  • 731
  • 2
  • 8
  • 25
  • Are you doing some kind of suid/sgid bits on the executable? – Christopher Creutzig May 11 '12 at 06:56
  • @ChristopherCreutzig: the program uses `stat (filename)` to get the permissions. But inside the executable I aint tampering. – kidd0 May 11 '12 at 06:59
  • I meant: Is the program, after compilation, running as a suid binary? IIRC, strace would ignore that. – Christopher Creutzig May 11 '12 at 07:00
  • After a bit of Googling I got `chmod +s a.out` means running as suid binary. Yeah I am doing that. So does that mean strace works as if I didnt execute that command ? – kidd0 May 11 '12 at 07:05
  • I believe so, yes. Just use a shell as the user it would run as and start it there, under strace. (I'll put that in an answer below, just to let everyone see the question has been answered in the overview list.) – Christopher Creutzig May 11 '12 at 07:08
  • yeah also realized that `strace -u username` option in the man page says somthing about the same. Referred it – kidd0 May 11 '12 at 07:09

1 Answers1

2

As discussed above, the binary was started with a suid flag (chmod u+s a.out). Since strace needs to watch the process, and can't do that if it's running as some other user, it will silently ignore s-bits.

Solution: In the shell window where the program is run, use the login/user-id that would be used without strace – given that you just did chmod u+s a.out as that user, it should be a safe assumption that you can log in under that account.

For completeness: To change your user id for a single shell window, just use su - otherlogin, replacing otherlogin with the log in name. (su = “switch user”)

Christopher Creutzig
  • 8,656
  • 35
  • 45
  • @chritopher Creutzig: Thanks a lot for such a fast reply. I didnt completely read the man page of strace. sorry :) – kidd0 May 11 '12 at 07:13