Unable to create setuid programs on Core

[janos]

I want to demonstrate the vulnerability of `setuid` programs using the TinyCore Linux live cd. That is, I craft a special program, with special permissions, so that it runs as the owner of the file instead of the executing user. These are my steps:

1. Create a program (see below) with a security hole, compile it in my home system (Ubuntu)

2. Make the program setuid and setup the owner of the file, still in Ubuntu

3. Unpack the Tiny Core live cd, copy the vulnerable program inside and `chroot` into it

The problem is the program does not seem to run as `setuid` neither in the `chroot` environment, nor in the completed remastered image. In Ubuntu it works, but I need it working in Tiny Core. The program does run in Tiny Core, but even though it has `setuid` permissions, it is not running as the owner of the file.

The program source code:

    #include <stdio.h>
    #include <stdlib.h>
   
    int main(int argc, char **argv)
    {
      printf("Current time: ");
      fflush(stdout);
      system("date");
      return 0;
    }

Build it:

    gcc -o prog prog.c

Make it setuid:

    sudo chown 1200.1200 prog
    sudo chmod 4755 prog

Craft a `date` script to demonstrate the vulnerability:

    #!/bin/sh
   
    echo hello > /tmp/test.txt
    ls -l /tmp/test.txt

Make the crafted `date` script executable and expose the vulnerability:

    chmod +x date
    PATH=.:$PATH ./prog

In Ubuntu, as expected this creates `/tmp/test.txt` with owner 1200. But when I `chroot` to the live cd environment, it does not work there, the executable runs but not as the file owner. If I finish the remastering and create the live cd and boot into it, it does not work there either, even though the file has the right owner and group and permission `4755`. What am I missing?

Steps to reproduce:

    sudo mount Core-current.iso /mnt
    mkdir /tmp/extract
    cd /tmp/extract
    zcat /mnt/boot/core.gz | sudo cpio -i -H newc -d

Copy the vulnerable programs to the `chroot` environment with:

    sudo cp -a /path/to/prog /tmp/extract/tmp
    sudo cp /path/to/date /tmp/extract/tmp

`chroot` in there and test the vulnerability:

    sudo chroot /tmp/extract /bin/sh
    su - tc
    cd /tmp
    PATH=.:$PATH ./prog

My end goal of course is to make it work on the live cd itself. It doesn't matter if it doesn't work in `chroot`, it just seems a suitable first test, without having to repack the image and booting into it.

[gerald_clark]

    su - tc
    cd /tmp
    export PATH=.:$PATH
    hash -r
    ./prog

[curaga]

Your app runs as setuid (assuming you have uid 1200 created), but maybe bb ash is the difference here. Effective UID vs real UID - try adding getuid() and geteuid() calls to your app.

[janos]

Thanks curaga...

After further research, I see that `system` calls `/bin/sh -c program`, which in this case points to bb ash, which drops privileges, I guess.

I tried installing bash instead and replace `/bin/sh` with it, but bash also drops privileges when invoked as `/bin/sh`, and in any case it seems Tiny Core won't work properly if I change `/bin/sh`.

Any other ideas I could try to make this work? Or maybe I should just drop the `system(...)` vulnerability demonstration, as it is not so easy to exploit as it used to be anyway...

[tinypoodle]

Not sure if and how relevant that this is for your case, but note that invoking bash as sh is equal to starting it with the

Code: [Select]

--posix command-line option or executing

Code: [Select]

set -o posix while it is running.

[tinypoodle]

In Ubuntu it works, but I need it working in Tiny Core. The program does run in Tiny Core, but even though it has `setuid` permissions, it is not running as the owner of the file.

Or maybe I should just drop the `system(...)` vulnerability demonstration, as it is not so easy to exploit as it used to be anyway...

Or... just drawing conclusion based on your observation, perhaps Core is just less vulnerable than Ubuntu

BTW, last time I checked /bin/sh in Ubuntu was dash, not bash.

[janos]

So my question becomes simply:

Given a program `prog` that was compiled from this source code, how can you set it up in TinyCore in such a way that it is vulnerable, if this is possible?

    #include <stdio.h>
    #include <stdlib.h>
   
    int main(int argc, char **argv)
    {
      printf("Current time: ");
      fflush(stdout);
      system("date");
      return 0;
    }

By vulnerable I mean you can craft a date script and have it executed as the owner of the `prog` and thus gain read/write access to the files of that user.

[janos]

In the end I managed to create a vulnerable program like this:

Code: [Select]

int main(int argc, char **argv)
{
  // circumvent busybox ash dropping privileges
  uid_t uid = geteuid();
  setreuid(uid, uid);

  printf("Current time: ");
  fflush(stdout);
  system("date");
  return 0;
}