10 Replies - 858 Views - Last Post: 15 May 2012 - 04:12 AM Rate Topic: -----

#1 LivingNightmare  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 21
  • View blog
  • Posts: 129
  • Joined: 07-July 10

C Program Segfaults

Posted 14 May 2012 - 09:46 AM

Hi Everyone,

I wasn't sure if I should post this or not, since I know that DIC doesn't like 'security-based' questions, but I figured I would try my luck anyway, as I am completely stuck. For my security assignment, we were given a program with some flaws in it, and we are required to find 3 flaws that we can exploit to obtain root access to the system. I have managed to find two: a format string vulnerability and a buffer overflow. For the third one, I believe that I may have found something since the program crashes (when it shouldn't), but I am not incredibly familiar with some of the linux functions in this code snippet, so I wanted some help. The function where the segmentation fault happens is:

//Update entry in /etc/shadow
static
void update_spent(char * crypt) {
	FILE * old, * new;
	struct spwd * spw, spw_copy;
	char * username;

	link("/etc/shadow", "/etc/shadow~");
	unlink("/etc/shadow");
	lckpwdf();
	old = fopen("/etc/shadow~", "r");
	new = fopen("/etc/shadow", "w");

	printf("opening shadow files\n");
	username = get_username();
	spw = fgetspent(old);
	while (spw != NULL) {
		if (strcmp(username, spw->sp_namp) == 0) {
			memcpy(&spw_copy, spw, sizeof(struct spwd));
			spw_copy.sp_pwdp = crypt;
			putspent(&spw_copy, new);
			memset(&spw_copy, 0, sizeof(struct spwd));
		} else {
			putspent(spw, new);
		}
		spw = fgetspent(old);
	}
	fclose(old);
	fclose(new);
	unlink("/etc/shadow~");

	ulckpwdf();
}



The program receives a segmentation fault after printing "opening shadow files". The other two vulnerabilities were found by manipulation arguments passed to the program, but this one crashes just from calling it normally with no arguments (i.e leaving everything in it's default case). So I am 100% sure that the string crypt is a valid pointer in this case, and null-terminated.

So, I guess I should begin by asking: what is this shadow file and putspent/fgetspent functions? The link/unlink commands have me a bit concerned, although I don't see why this would cause a problem and make the program crash. Likewise, the lckpwdf function acts as a lock on the file I believe, so I think that this should be okay as well. Would anyone know why this function crashes? Sorry for the multiple questions... I usually program on windows, so I am not familiar with all of the linux concepts presented in this function. I should also mention that I am just looking for help in determining the reason why this crashes, and if this can be use as an exploit somehow... I'll write the code for the vulnerability myself.

Let me know if any clarifications are required, I would be glad to provide more detail or code if needed. Also, I apologize if this violates one of the rules for DIC (being security related and all), but I am not sure where else to post.
Thanks!

This post has been edited by LivingNightmare: 14 May 2012 - 09:49 AM


Is This A Good Question/Topic? 0
  • +

Replies To: C Program Segfaults

#2 Salem_c  Icon User is offline

  • void main'ers are DOOMED
  • member icon

Reputation: 1621
  • View blog
  • Posts: 3,078
  • Joined: 30-May 10

Re: C Program Segfaults

Posted 14 May 2012 - 10:16 AM

Well the first thing to do is something like

gcc -g prog.c
gdb ./a.out


Then run the code in the debugger to find out the real reason for the segfault.

Which on the whole would be much better than posting an incomplete program and "it doesn't work".
Was This Post Helpful? 0
  • +
  • -

#3 LivingNightmare  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 21
  • View blog
  • Posts: 129
  • Joined: 07-July 10

Re: C Program Segfaults

Posted 14 May 2012 - 10:27 AM

Hi Salem,

Thank you for taking a look at my problem. I am not too familiar with running GDB in the command line, but this is what I get when it crashes:

(gdb) backtrace
#0  0x401e68e7 in fgetpos () from /lib/libc.so.6
#1  0x40267139 in fgetspent () from /lib/libc.so.6
#2  0x0804929a in update_spent (crypt=0x40053140 "CTcCYms4VhjmM") at /share/pwgen_20.c:223
#3  0x08049745 in main (argc=2, argv=0xffbfde14) at /share/pwgen_20.c:360




The string crypt is definitely valid, so I am not sure why it would be dying in fgetspent() ... any suggestions?

EDIT: I should also add that line 223 in the source code is where the first call to fgetspent happens (right below the get_username function call - or line 16 in the original snippet).

This post has been edited by LivingNightmare: 14 May 2012 - 10:33 AM

Was This Post Helpful? 0
  • +
  • -

#4 simeesta  Icon User is offline

  • Deadly Ninja


Reputation: 218
  • View blog
  • Posts: 591
  • Joined: 04-August 09

Re: C Program Segfaults

Posted 14 May 2012 - 10:35 AM

Check the file opened correctly ie old != NULL similarly for new. You may need to run the program as root or use sudo as you may not have the permissions to read the file.

This post has been edited by simeesta: 14 May 2012 - 10:39 AM

Was This Post Helpful? 1
  • +
  • -

#5 vividexstance  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 650
  • View blog
  • Posts: 2,224
  • Joined: 31-December 10

Re: C Program Segfaults

Posted 14 May 2012 - 10:35 AM

One suggestion would be to check the FILE pointers after you've opened the files too make sure that they opened correctly.
Was This Post Helpful? 2
  • +
  • -

#6 sepp2k  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2086
  • Posts: 3,173
  • Joined: 21-June 11

Re: C Program Segfaults

Posted 14 May 2012 - 10:35 AM

Maybe fopen returned null. Did you run the application with root privileges (without them you won't have permission to access /etc/shadow)?
Was This Post Helpful? 3
  • +
  • -

#7 LivingNightmare  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 21
  • View blog
  • Posts: 129
  • Joined: 07-July 10

Re: C Program Segfaults

Posted 14 May 2012 - 10:48 AM

It looks like you guys were right. Both old and new are set to NULL, but i have no idea why. As for the permission issues, we were told that "The executable pwgen is setuid root, meaning that whenever pwgen is executed (even by a normal user), it will have the full privileges of root instead of the privileges of the normal user", so I don't think it's a permission issue.
Was This Post Helpful? 0
  • +
  • -

#8 sepp2k  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2086
  • Posts: 3,173
  • Joined: 21-June 11

Re: C Program Segfaults

Posted 14 May 2012 - 10:59 AM

Are you running pwgen through a remote account? Or did you download it onto your own computer? Because in the latter case, the setuid bit won't be set on the file unless you set it yourself. Downloaded files (over http at least) don't keep their initial permissions.
Was This Post Helpful? 1
  • +
  • -

#9 Salem_c  Icon User is offline

  • void main'ers are DOOMED
  • member icon

Reputation: 1621
  • View blog
  • Posts: 3,078
  • Joined: 30-May 10

Re: C Program Segfaults

Posted 14 May 2012 - 11:41 AM

> so I don't think it's a permission issue.
Don't think, find out!

Write something like this to find out WHY the open failed.
old = fopen("/etc/shadow~", "r");
if ( old == NULL ) {
  perror("Unable to open file");
}



It cuts out a hell of a lot of pointless guessing.
Was This Post Helpful? 2
  • +
  • -

#10 LivingNightmare  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 21
  • View blog
  • Posts: 129
  • Joined: 07-July 10

Re: C Program Segfaults

Posted 14 May 2012 - 02:49 PM

@Salem_c - I had already indicated that both the old and new pointers we're being set to NULL after the function call, but that I wasn't sure why.

@sepp2k - Yes I am copying the file to another directory... but I didn't know that the permissions wouldn't follow. I tried it on the original file, and it seems to work as expected =)

Now all I need to do is find a vulnerability in this code =) - Thanks!
Was This Post Helpful? 0
  • +
  • -

#11 sepp2k  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2086
  • Posts: 3,173
  • Joined: 21-June 11

Re: C Program Segfaults

Posted 15 May 2012 - 04:12 AM

View PostLivingNightmare, on 14 May 2012 - 11:49 PM, said:

@Salem_c - I had already indicated that both the old and new pointers we're being set to NULL after the function call, but that I wasn't sure why.


And Salem_c told you how to find out for sure. Or at least how you'll find out for sure the next time since this particular case is solved now.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1