3

I use linux and c.

First, I soft link bin/zsh to sh

Second, I login as root the run the following program.

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
 char *v[3];
 if(argc < 2) {
  printf("Please type a file name.\n");
  return 1;
 }
 v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = 0;
 /* Set q = 0 for system(), and q = 1 for execve */
 int q = 0;
 if (q == 0){
   char *command = malloc(strlen(v[0]) + strlen(v[1]) + 2);
   sprintf(command, "%s %s", v[0], v[1]);
   system(command);
 }
 else execve(v[0], v, 0);
 return 0 ; 
}

Third, I login as a normal user(not root). Now, I can remove or rewrite a file which I don't have write privilege by using the execute file of this program.

Like this:

./a.out text;\`echo \”Not right\”>text\`”

Now I can write "Not right" into the file "text". I only have read privilege of this file

enter image description here

The read and write privilege of these files. enter image description here

Fourth, I change q to 1. That means, this time I use execve instead.

And do the same thing as above. But this time I cannot change the content of the file.

Why? I google in the internet, but I can not find the different between system and execve.

littletiger
  • 651
  • 1
  • 8
  • 14
  • 1
    Do you mean what is the difference *besides* the fact [`system`](http://linux.die.net/man/3/system) runs a command *and then* returns to the caller, while [`execve`](http://linux.die.net/man/2/execve) replaces the caller's process data with the the called process, thereby having no "return" state to the caller (because there is no caller anymore) ? – WhozCraig Oct 19 '14 at 08:46
  • Do you mean execve is using the normal user privilege but system is using root privilege? – littletiger Oct 19 '14 at 08:55
  • The command you say allows you to overwrite a file without the required permission has unballanced (and weird) quotes. It won't do what you mean as is (the `echo` part won't be run by your program as it is). There's something wrong with your tests, execve or system doesn't change anything wrt privs. (Add a `printf` right before `return` in main to see a difference between system and execve.) – Mat Oct 19 '14 at 08:56
  • I'm doing a lab test using system() and execve() to see if the system can be attacked. The echo part did change the file which a normal user do not have a write privs. But I can't figure out why. – littletiger Oct 19 '14 at 09:01
  • @littletiger Can you edit to fix the exact command-line. Should the quotes be mismatched like that? – luser droog Oct 19 '14 at 09:08
  • @luserdroog Can you see the command-line? I put a screenshot. – littletiger Oct 19 '14 at 09:14
  • Yes. Thanks for fixing that. Are you sure about the permissions? What's the output of `ls -l text` before and after the change? – luser droog Oct 19 '14 at 09:14
  • 1
    I put a screenshot of ls -l. I forgot to say that I set "chmod 4755 to a.out". – littletiger Oct 19 '14 at 09:21
  • As a note, permissions are about the actual files, not the link. To unlink a file, it's irrelevant if you have write permission for it, you must have write permission for the containing folder. – mafso Oct 19 '14 at 12:06

2 Answers2

3

system invokes a shell to parse the string and handle quoting and variable interpolations and stuff. execve does none of this. It replaces the program with the called program and passes the argument strings exactly as specified; ie. it will not interpret quotes.

luser droog
  • 18,988
  • 3
  • 53
  • 105
2

You said you did chmod 4755 a.out. That means you're setting the setuid bit and the program will then always run with root privileges, and has write access to text. The string with backquote is passed to the shell which interprets it as a command to write to text.

The reason execve doesn't write to text is that it doesn't interpret its arguments as a shell command and ` doesn't have any special meaning.

Per Johansson
  • 6,697
  • 27
  • 34