Level11 is once more a good challenge to understand the importance of careful designing of SUID programs and the sanitization of all the input, either if it comes from an user or some other source.
What you’ll need to know…
- C
- Level 7 (So you can create your own SUID program)
Level11
Before we go through this challenge, let me make an aside note. After facing some problems, I decided to google about this challenge, where I ended up finding that it has some problems. I read on various websites that the code presented on the official webpage is not the one that originated the program present in /home/flag11. Therefore, I’ve decided to upload the original code to the /home/flag11 and compile it, using the nebula account for this task.
Having said that, let’s move on.
Level11 has, once more, a SUID program, flag11. Also, it has a system call with non sanitized arguments. Two nice ingredients to cook something…
So, you run the flag11 program and it’ll wait for some kind of input, “Content-Length: “, that will be verified in the first two if clauses. After this, the program can follow two paths. The first one is the case of the number provided is between 1 and 1023. If you provide 1024 or some number above it will fall in the second clause. Negative numbers won’t be accepted due to the while statement (and also due to mmap).
The easiest way to get to the system call and exploit the program is by passing 1 as a length and then, as input, pass a random letter (except a, A, z and Z) or number. If you go through the function process, you’ll notice that your character will end up being XORed with the length, 1. I’ll go with “l” letter.
Now, when you execute the program, you’ll see an “m” popping up. Within a few tries, you notice that the letter “m” appears all alone.
I’ll use the old trick from challenge 7 and created my own SUID program. Can you see where I’m going?
So, after the letter “l” is encrypted, process function will try to call the system function to execute “m” (“l” XORed). “m” command does not exist, so I’ll create a symbolic link to my script wich will compile my SUID program.
We also need to add the /tmp folder to the environment variable PATH (export PATH=/tmp/:$PATH).
After a few attempts, I get the “m” all alone and check the /home/flag11 directory I get the result of the following image.
Then, it’s just a matter of running the program and get the flag.
Solved. 8 more to go!
Challenges completed: 12/20
Mitigation
Same advices given for level09, level07 and level00 apply.