 Cool. All right. All right, so we'll go through a little bit of updates. Hello, everyone. Tuesday, hope you're all doing good. Just wanted to show off some of the scores on the server. And yeah, we already have some people who've finished things, which is pretty cool. MadStork2 and Relieved Otter. And there's other people, you see people who don't have a name in the form, adjective, I don't know, what is this, noun, person, whatever, number. Like these people are TAs, so don't worry about them. They're also doing the levels so they can make sure that they can help you. But yeah, get started. There's a lot of people, like I said, as it goes on, it's pretty easy just by looking at this list to see what's kind of considered the easiest levels and what are considered more difficult. So yeah, use this to kind of target different levels and work your way up. If you haven't started, again, get started right away. This stuff can take a while. Yeah, but cool. I'm glad to see awesome progress being made here. Cool. Okay, now on to the next big announcement or the next big thing in class. Okay, so on Thursday, we're gonna be having our first in-class CTF. This is going to be, I'm calling it 365 CTF. If you've been wondering, the dates have been posted on the homepage. So under the important dates, we have the in-class CTFs. And so basically what we're gonna do is, it's gonna be in-class, of course, the virtual, won't actually be in-class. And we're gonna do this all virtually. And so we're gonna do this on Thursday. So Thursday at this exact time, 10, 30 a.m., just like normal class time, we're gonna be starting and kicking off the CTF. So the first step for everyone is to form teams by tomorrow at 5 p.m. So the idea is you can group up as teams into groups of teams. I think this is just like a normal CTF. It's really helpful when you're stuck on something to have other people to ask questions to, to try to bounce ideas off of. And so it's actually a really important part of CTFs to do them as a team. We're gonna cap a maximum of five people on a team so it's not super unwieldy. And so basically figure out from, you know, from people you know in class, people you've met, you know, you at least know 30 people's emails because you've signed their keys. And there's a Piazza server and discussion board where you can try to get teams. So come together, find a team, maximum five people on a team, elect a, yes, maximum five people. So I don't, so elect a captain. Well, if there's a bunch of teams that already have six people, take one from each and they can form a team of five. Elect a captain for your team. So this captain will be your main point of contact. All right, you guys already have teams. Why do you already have teams? I guess I can change it to a max of six. I guess that could be fine. Are you planning ahead? Sounds like you didn't plan ahead if you didn't know how many people were allowed on a team. I did say five to six a few extra to go. Okay, cool. Cool, there we go. All right, six people. So maximum of six people on a team. Forget what I said earlier. Yeah, if I already said that, then that's fine. It gets a little unwieldy, but I mean, what's one more person? Okay, max six people, elect a captain for your team. The captain will be the main point of contact for us. Basically, if anything goes wrong, you can blame it on your captain and then decide on a team name. Let's see, I'd rather you be part of a team. I mean, I guess you can be a team of one if you really want to, but I don't know. CTFs can be a little bit of a lonely process. So it's much better if you have people on your team. And so I would highly recommend grouping up. I guess I won't force you, but I would highly recommend it. And so decide on a team name and register your team with the class. So we'll post on Piazza of how to do that. So you'll register and tell us how many people, which people are on your team, what your team name is, and who the captain is. Then step two, prepare. So install the tools that we've been talking about. I would say just post on Piazza in that case. So if you don't know anyone and you just want a team, just post on Piazza, hey, I'm looking for teammates and I'm sure people will pick you up. So basically install all the things that we've talked about so far. Network analysis tools, reverse engineering tools, maybe crypto stuff. Think about all the things we've covered in class so far. These are the types of things that will be on the first CTF. And then your next step is to compete. So the captain's job is to make sure your entire team joins the in-class CTF on April 16. We'll be setting up the undergrad TAs. We'll set up a Discord server that we'll use to coordinate during the CTF. So each of the teams will have their own private chat and voice channel that they can use to coordinate during the CTF. Also, the undergrad TAs, the TAs and myself will be on this Discord server so we can help answer technical questions and any other things that come up during the CTF so we can kind of monitor and be there all in one space. So the CTF is intended to be the length of the class. It'll be kept up basically until, so the goal is compete in the CTF and then you write and submit a CTF write-up. So this is what you're gonna be graded on. And this is actually traditional in CTF. So for actually, I think all of the top CTFs, the organizers require that the winning teams or the top X teams submit a write-up of how they solved various challenges. This kind of helps as a check to make sure that people actually did solve those challenges. We'll post the exact CTF Discord as we get closer. We're still figuring all that out. So yes, we'll be using our own Discord server for this, for the CTF. No, you won't be, so you're graded on the write-up. So there'll definitely be challenges that everyone can solve. So there'll be a wide range of challenges here. So you will definitely be able to solve challenges. What we really wanna see, and this is the important part, we wanna see how you solved each of the challenges that you solved. So what steps did you take to solve this? And how, so the other important thing, obviously I'm not expecting every team to solve all the challenges, although that would be great. What I really want to see is how did you attempt to solve each of the challenges that you didn't solve, right? So your write-up will have a section for each of the challenges and you'll write up a few sentences or a paragraph about how you solved each of the ones that you solved and how you attempted to solve each of the challenges you didn't solve. I'd say template is just plain text file. So plain text file, challenge A, here's how we tried to solve that. Challenge B, we did solve this. Here's how we solved it and so on and so forth. Your captain, I'm not expecting a huge long essay, but I want, it should be clear that your team actually did solve this and that you attempted to solve each of the ones that you didn't actually solve. One write-up per team. So your captain will be responsible for submitting the write-up on a grade scope by Friday at noon. So this gives you roughly a day. So it's not gonna be, I'm not expecting a super in-depth report, but I wanna see that you played during the in-class CTF and that you attempted all of the challenges. So people ask about grades, if we go to syllabus. So CTFs are 5% of your grade, split between two, it'll be 2.5% each. And you're graded based on your write-up. So again, yeah, it's not, doesn't matter if you're the best or the worst team as long as your team is participating, trying to solve these challenges and has a coherent and good plan for their write-up, that would be fine. Yes, they'll definitely be a scoreboard. Your team will be able to solve at least one or more of the challenges. So I'm not gonna talk anything about what's gonna be on the CTF. Yes, the write-up is due Friday at noon. Yes, we will use the, let's see. You're not required. If you have your own communication methods, that's fine. But if you want our help, so during class we will be on that Discord server. So if there's some problems or anything, we'll be on that server and that way we have a central place where you can come find us. Does that make sense? Yeah, if you have your own whatever collaboration platform, chat thing, your own Discord server, that's fine. No, we're gonna do CTF in class, so no teaching during that day. Any other questions? Discord is like a chat thing like Slack that has actually nice voice chatting and other types of features. So we can all be on one system. You can real-time ping us for help. You can do voice chat with your team. So the CTF is in class. It will be open until Friday noon. So if your team, if you want to work on stuff out of class, you're more than welcome to do that. I think that's totally fine. But no, it's not gonna be, I'm not, I really want you to be working on it during class. Cool, any other questions? Cool, this will be fun. So keep up to date on Piazza. We'll be posting more info on there in terms of links to how to register your teams, information about how to get to the CTF Discord, all that kind of fun stuff. So we'll be doing everything on there. And this is the real Discord server you're sending out, right? Not the fake one that you use to scam people. I hope so. People mentioned, people talked about that at the last class. So they, yeah, they got, that's how they scammed people effectively. Cool, okay, homework six, how does extra credit work? Yeah, you don't need to submit to grade scope by the date posted. I'm keeping track on the server, so as people solve things. All right, let's get into more binary exploitation. Cool. Well, there's no point in scamming anybody anymore. So I think you're fine with whatever servers you end up on. Cool, okay. So what we're gonna do now is we're gonna talk about, so we've talked about kind of more theoretical ways of thinking about how to exploit an application, right? We've been thinking about and talking about how can I, and really when we talk about exploitation, right, we're trying to think about how can I make this application do something that it's not supposed to do, right? And so, and we've talked about different ways conceptually of how to think about that, right? We wanna analyze an application, see what it does, see what information, how it takes input from us as a user, and then how can we use that in order to subvert the behavior of the application? These are a list of kind of some of the attack classes, like different types of vulnerabilities that I go over in my grad 545 class. That's about, that goes into depth inside of each of these. So for this class, we're gonna focus on just the ones that are in black here, path attacks, command injections, and stack corruption and buffer overflow attacks. This should kind of get you started down this path of exploiting binaries. If you really wanna go further in this, you can take 466 to go this in depth, or you can even take 545, where we kind of get into in depth all of these issues. So the first thing, like the entire kind of class of file access and tax is essentially based on how, if we think about it, how do applications typically interact with the file system? What they do is it's all based on strings. So if we want to, and we talked about this, I think a little bit last time, open temp foo, what I'm doing here is I'm opening a file and read only, or whatever the flags are here, or read, write. So I'm trying to open a file, and I specify to the operating system what file I wanna open based on this string, right? And what can happen is basically if we want to attack, and we're talking about local attacks here, mostly, but if we want to, so if we wanna attack an application, and we wanna, if we have a way to control how, or when an application builds its path, we can trick the application to violating the security property of the system. So actually one of the most well-known types of these vulnerabilities is called the dot-dot attack, or a directory traversal attack. And this is something that is actually common, not just in binary applications where we're learning about it here, but it's also common in web application vulnerabilities. The essential idea here is if you're writing code, right? And the really important thing when thinking about these types of vulnerabilities is when you gotta put yourself in the minds of the developer, right? So let's say I'm a developer, I wanna write an application that reads from a file. So I have some kind of application, and I have like, yeah, so let's say I'm writing a note application, and so my application looks in the local directory notes. Inside that directory, I store all the notes about a user, so a user can ask me for a certain note and I will give it to them, right? So if I'm actually doing this, right, what would this code kind of look like, right? It would be, so I would have something like my path here, so I'm gonna build up a path, and it could be many different ways, but let's do for right now an S printf, and I'm gonna, of course I'm writing bad C code, so I'm gonna make sure I'm doing it right. So if I wanna print to notes percent S, and my first argument is, and let's just say for all, for argument's sake that I have a character pointer somewhere up here called the note, right, so I call some function that gets it from the user, and then that returns me a character pointer that I then concatenate, right? So S printf is going to print format, yeah. All right, we'll have to do this securely since it's a security class. SN printf, and the string path, the mount 2047, just to be safe. Okay, so essentially what I'm doing here is I'm, and so it's important to think, okay, what is this code intended to be, right? So then I have an open and int in fd equals open, path o read write, and then let's say I just output, it's nice to just be able to make functions do whatever you want to output to user fd. So this function will just output everything that it reads in from this file descriptor to the user, right? So if we think about it, what does the developer intend? So let's walk through the actual functioning of this code, right? So here I'm getting the note from the user, so maybe it's an argument, maybe it's an argv, so maybe it's an argument from the user. Maybe I ask on standard input what it does. So SN printf is like a printf, so you can take it here, let's see. SN printf writes to the character string string, and it writes at most size minus one of the characters, so I can actually do 2048. So it's gonna write 2047 characters at most, and then finish it with a null byte. So the way to read this, so it's in the printf family of functions, so it's gonna have this format string, and then when it sees this percent s, it's gonna substitute the first argument and interpret this as a string and copy it into there. And then the n part of SN printf limits how many bytes it's gonna write into this string, so this means that it's gonna do at most 2048, including the null byte. So this means that whatever the user types in, it's not gonna write more than 2048 to this buffer on the stack to this argument. So after this, essentially, so if you were, if you were writing this in something like Python, you would say you just do open something like open.slot, plus the note, something like that would be the equivalent, right? So all we're doing is concatenating the user's input, so whatever they wanted to do for the note, we're concatenating it to this string.slash notes. So this is definitely not a format string attack. That's very different. We can talk about that maybe briefly later on once we cover this stuff. But let's go over what this actually allows you to do, so, right? And again, we can see from here, we can see exactly what the developer intended, right? We can see the developer's intent here is that they should only be outputting files that are inside of the notes directory, right? Because everything they're prefaceing is dot slash notes. So in the current directory, the notes directory, and then getting notes from there. But is that, so that's kind of, we can see that here, that's the intended security property of this application, but can an attacker violate that security property? So let's actually walk through this code kind of virtually and think, okay, so we'll go through different scenarios. So what if the note is equal to a foobar, right? Let's say I've stored a note foobar. What's gonna happen? So the note's gonna be foobar, this SN printf, it will be path, path will be equal to dot slash notes foobar. And then it will call open with dot slash notes foobar and then it will output the, whatever's inside dot slash notes foobar, which is exactly what we want. This is how our application is supposed to work, right? And so I haven't violated the security property of this application at all because I'm reading from a file that's inside the notes directory, which is exactly what the developer wanted. Now, what are different ways that we can go outside of a directory in Linux? And actually on most file systems now. Yeah, dot dot represents the parent directory, right? So now what if the note is equal to dot dot slash dot dot slash dot slash dot slash EDC password, right? And the code here doesn't care, right? The code doesn't care that the note has any special characters or anything, right? So what's gonna happen? Well, the code's gonna execute just as normal, path is going to do dot slash notes slash, and then it just appends these strings together, right? It's concatenating these strings. So it'll be dot dot slash dot dot slash dot slash slash EDC password. And then it will do open dot slash notes and it will output this file, right? So the file system, right? When we call open on the file system, then what happens with all these dot dot slashes, right? It allows the attacker to traverse the directory and be able to access files outside of this directory, right? So what this is doing is depending on assuming that notes is at least four away from EDC password and assuming that this note application is set UID, this would allow us to read the EDC password file or EDC shadow like we talked about, which actually has the hashes of passwords, maybe that's better. And so now we've essentially tricked this application to open and read a file for us that we should not have access to, right? Because the application by default should only be able to read from the notes directory, but we have been able to trick it by providing input that means something special to this open system call of the parent directory input. And so you can do this to trick an application to open different files that it wasn't expecting to be able to read those files, maybe it's to execute those files. This is actually a very general purpose type of exploit and vulnerability. This happens on web applications like I mentioned. So often web applications will have this type of functionality where it will read from a local file from the web server. So if you point it to a file like EDC password, EDC shadow, any of these files, you can then maybe read a file on the file system that you shouldn't be able to read. So in PHP, local file inclusion, the inclusion part means that you're including it and executing it code, which is different, right? So it can be both because PHP, if you did include this and there's no PHP tags in there, it won't interpret it as PHP and it will output it to you. So it's essentially also a directory traversal. So yeah, so how to prevent this, right? So, what do we actually need to do here to prevent this, right? So there's actually, in terms of prevention, there's typically two types of approaches that you can take. So one approach is whitelisting, right? We could say, so what should our files be made out of? Right, so for a whitelist, we say exactly what makes for good input. So what should the note be? Yeah, for instance, what if I am... So if we think about this as a regular expression, right? If I make the note only consist of lowercase a through z and reject everything else, so say a note can only be a through z, then I've completely prevented this vulnerability, right? Cause there's no possible way that an attacker control dot dot slash can ever reach the open sys call, right? But I'd have to add a check in here, right? Check the note. And this would completely get rid of this vulnerability, right? But it actually has some downsides, right? So if I restricted them to only a through z, what if my user says, but I have a, what if I have a very complicated note that they want to put dashes between or underscores, right? To have it be more readable, right? Or like you said, there you go, dot txt, and so this... So, right, so extensions, right? So by whitelisting, we're restricting what we can be where maybe with blacklisting, we could say, well, let's block any dot dot. So check if the note as dot dot slash then reject, right? So here I'm saying, okay, I know what's bad. What's bad is them being able to traverse outside of this directory. So I'm gonna block any dot dot. And I say, if the note has any dot dot in it, then I reject it, right? And the problem is like people are mentioning in the chat that the problem is, and especially this is what happens in web applications. So you think, okay, to prevent this is very easy, just make sure no dot dot ever makes it to your application. The problem is attackers may have different way of trying to encode their input. So on the web, you can encode this as percent encoding, double percent encoding. There's all kinds of crazy tricks to try to do. Here, I don't think there are any tricks, but you could also, depending on the structure of notes, you may be able to get them to open up folders or files inside the notes directory that maybe is a different users notes or something like that. So we could also say, another type of trick would be filtering. So we'd say, let's transform any dot dot to just the empty string. So remove it. And in that case, all of these would get removed. So we'd just have notes, notes, notes, notes. And that would try to access the file, ETC shadow in the notes directory, which all get the extra slashes don't matter. It's all gonna get transformed to just one slash. And so cool. Okay, so yeah, so these are kind of the two different ways. White listing is the best approach of saying, okay, I know exactly what input is safe, but fundamentally, yeah, so this is the other problem with that, that's a good example. So if you just say, let's transform any dot dot to empty, I'm just gonna steal this. And of course it's gonna do weird because it likes to keep the format. Then if my input is, if the note I put in as triple and I transform every dot dot to empty, I think I may need more here to actually get this to work. Now this still should strip them out. This is a bad example. Okay, I have other examples we'll do later. There you go, dot dot slash to empty. Yeah, that would actually make sense. You could also maybe try disallowing slashes. Right, saying, okay, well, I know slash is a special character and I don't want slash to be in anybody's username. So I could try that as a technique and now I just reject anything with a slash in it. Right, and there that makes it so the attacker would not be able to escape out of that directory. But fundamentally, the fundamental problem here and the reason why this is a vulnerability is because if we look at this code and we think about it as what is attacker controlled? So here, the note is attacker controlled because it comes from the user and then it gets used in something here, gets copied to path and then it's used to open a file without any white listing, black listing filtering, any type of sanitization. Then this represents a potential vulnerability, right? And the important thing is why are we saying potential, right? The problem is it depends on what the application is. So like, for instance, if you said the application cat has a vulnerability because I can do dot dot slash, dot dot slash, dot dot slash to output any file. Well, of course, that's the functionality of the application cat. It literally will output whatever file. The important thing is that cat does not run, there's no set UID bit here, right? So cat runs as your privileges, not as root. So it doesn't matter that you can use cat to output any file because it only has access to what you have access to. So again, remember the vulnerability is context dependent on the application. So this is something that's super important to keep in mind because it's easy to say, oh, look, they're using user input in this way, but that may or may not be vulnerable. It depends on the specific application. Other things that influence the permissions would be, I think of it probably more in terms of deployment security, right? So thinking about the lifecycle of the application, the application could be secure, but it's deployed or configured incorrectly, right? So that kind of depends. And it also depends on if it's something that comes as part of the operating system and is misconfigured, that could be one thing or the other. Cool, so okay. So then the other thing to think about is, so this is one way that an attacker can influence what files are being opened based on using their input in order to influence that behavior. You just got a, yeah, okay, cool. Yes, and this is why there are still so many vulnerabilities. You have to be very cautious of any possible user input, any way that you're using it potentially insecurely or passing it to a sensitive function that has special characters that mean different things, right? If we pass this to a different function, these dot dots don't mean anything, but they only are important because it's passed to the open function. And so, yeah, this is really the source of the reason why all, why vulnerability still exists in, you know, things like web applications and various types of things. Cool, okay. So I'll go on here. Okay, so I think we talked about this and discussed this a little bit. So how does my shell, right? So I'm talking now, I think I can see exactly what shell I'm using, EchoSell, right? So I'm actually talking to bin bash here. I'm not talking to anybody else. And so what I wanna know is when I type in LS, how does the shell know exactly which LS program to execute? How does it know that it's in bin? Well, so one thing we can do is I can ask it how. So I can use this program called which, which will tell me where the program is located. I can even use which, which to see that which is actually in a different directory. It's in user bin which. Yeah, so it needs, so we need, because if we had to think about this, if every time you wanted to list a directory, you had to type slash bin LS or you had to type in wish, you would probably first type in bin wish and then be like, oh, that doesn't exist. Oh, I guess it does. Wait, that's weird. I wonder if they're different. That's interesting. So you have to remember exactly where the programs were in order to run them, it'd be a headache, right? So there's a very nice feature where this path environment variable is used by, I actually don't know. I don't know what where is is. I always use which. So what your shell does, right? If we do ENV, this is all of the environment variables. Remember, we discussed the environment, they're a set of name value pairs that are actually, this whole set is copied into every program essentially that you execute. And one of these is the path. So the path is what the shell uses in order to determine how should I look for programs to execute when the user just types in LS, right? So we can see first thing that gets looked and this is a, if we look at this, this is a colon separated list. So it's first looking in user local S bin, which there is nothing. And then it's gonna look into user local bin which has some stuff, including the LEAP program. And then we'll look in user S bin which has some other programs. And where are we here? And then user bin and then slash S bin slash bin, apparently user games for some reason, user local games and the snap bin. Oh, interesting. Cool, so it's a symbolic link there, right? So exactly what Bash is doing is it's looking every time in this list for the exact file that you execute, right? So, and this is super handy. It's something that is a fundamental part of how we use our shell is we don't wanna have to type in exactly slash bin slash LS but remember the operating system, the function that actually invokes a new process to the operating system is exec VE, it needs a full file name argument, right? So it needs the entire path to that binary. You can't just tell the operating system, hey, exec LS and then figure it out. Yes, so you can, and this is actually super useful. So on my system, I hope there's nothing private in here, I don't think so. But yeah, you can see my path is kind of littered with all kinds of crazy stuff. So what are some things I have in here? Like user local opt my SQL bin. I have, oh yeah, I usually have my own bin directory. So this is in my home directory slash bin. And I have, I don't know, all other stuff that gets added with Python stuff and RVM stuff and all kinds of things. So yeah, you can actually use this as a very nice way of doing this. So, and okay, so applications normally, so this is a very handy feature and okay, so we need to think of other things. Okay, the other thing, so we just talked about path, how path is useful. And let's think. So okay, the other thing that we'll talk about really quickly that's used is home. So why is tilde special to the shell? Yeah, it's actually, but the question then is how does your shell know where your home directory is? And it actually is, it uses this environment variable home. Right, so if we look at ENV, we have the things we talked about, our path. And another thing we talked about is home. And so this home directory, so if I look at my present working directory, home moving to test, and I can say home equals home. And if I cd to tilde, it will put me into this directory. Right, so tilde is being expanded by the shell into whatever this environment variable home is. Okay, so why these things are important? So home, tilde, path. So this is because it is very easy to, so like we talked about, and this is kind of an important thing to, an important distinction to make is that execve is the operating system call. So this is what actually talks to the, execve is what our applications use to talk to the operating system to say, hey, please execute this new file and pass it this argument list and pass it this environment variable. But when we're writing applications, oftentimes we don't wanna have to deal with all that jazz. We want an easier way to do this. So we need a, yeah. So like if, okay, so let's think about this. So actually if we think about this, all of this nonsense that I had here, right? I had a whole function here to try to output this file descriptor to a user, but there's actually already a very useful program that will output things to standard out. And it's part of kind of the Unix philosophy of things that I should reuse what applications are available rather than reinventing the wheel. So I might write something like system cat notes, hello. World, right? And the system is actually, so system is not an OS system call. It's in Lib C. It's a library that, and this is exactly what it tells us that it does is it uses fork, so it creates a child process, executes the shell command, exactly as if you typed it into your command line of slash bin SH argument zero SH dash C and then the command that you type in. So it's exactly as if, oh, I don't want to change my home back notes. So when I do system cat notes, hello world, exactly what's happening is under the hood, what system in Lib C is doing is it's translating everything to an exec VE call that calls bin SH dash C, and then my command cat notes, hello world, which is super useful, right? Because now I can use the cat binary, right? I don't have to reuse all this functionality of how to read and write files, do all that fancy stuff. And so how does bin SH know what cat program to execute, right? So bin SH is just another shell. So I can actually start executing it. And actually on the, let's see, in boon to bin SH is actually linked to dash. And so is, oh, no, it's not. So I can execute bin SH cat notes, right? So bin SH has all the same environment variables and it uses the exact same lookup as my shell does as bash. So when I do something like cat notes, hello world, what it's doing is it's crawling the path. So for instance, if I did export, I think just like this should get rid of it. And now if I do cat notes, hello world, right? It'll tell me cat isn't found because it's not able to find it in the path. So bin SH is when you call system, right? It's essentially, you got to think of it as it's exactly as if you were on a shell typing it in, right? Which means that it's using the exact same lookup with the path environment variable to look up it as another executable. So it's looking through the path environment variables, looking for the first executable program it can find called cat. And then using that and executing that. So now what if I have a set UID program that calls system and uses something like cat notes, hello world, who controls the environment variables that are passed to an executable, anyone, thoughts? Yeah, the parent process or whoever passes it in, right? It's actually passed in as part of exec VE, this system call, this environment ENVP pointer, the person who executes this program can choose exactly whatever environment that they want. So you can do things like, so we were looking at bin SH. The really cool thing is you can specify parameters on here so you can specify path as just hello and then a space and then the program you wanna execute. So this, if I type in echo path, it'll say hello and if I type in LS, it'll tell me it's not able to find it. So this is saying execute bin SH and pass it the environment variable path equals hello. So I can control this and I can even do this and I can control environment variables for set UID programs, right? So if I wanted to, let's say, rather than having the program call cat, how could I trick it into executing whatever I wanna execute? Yeah, so if I, so I could create a directory called fake, I can output something to cat and then I could do, bin SH, now I want my path to be test and now if I say cat notes, hello, it's not executable. Oh, it's, and it's also not test. Okay, good, that was a double test. Okay, I have to make it executable. So now I've tricked it into executing a binary of my choosing and not of somebody else's. So in that way, if you have a, and there's actually a number of functions, so system is one of them, exec LP, exec VP. And you can look up the, this family of functions. Remember the only one that doesn't use it is exec VE, right? Because that's actually the OS system call, but these other helper functions will use the shell path variable. So similar things, like we talked about, if an application, oh, hello. So similar things, like we talked about, if an application uses tilde in order to read and write a file, right, the home variable, just like an attacker control path in order to trick an application to executing a different binary than it was expecting, an attacker can use home environment variable to control the execution of commands, or sorry, to use the home variable to trick the application to thinking of what tilde represents and the directory that tilde maps to. So this can be another way that you can compromise the security of application using tricks like this of changing the environment, right? So we have a couple of different ways we can use a directory traversal in order if the application directly uses our input in order for a call to open. We can modify the environment that the application uses if that allows us to trick it to executing different types of programs. And finally, kind of combining these two together is an entire class of vulnerabilities called command injections. So one of the most famous ones we looked at, so this was system. So one way we could think of can tilde become a remote location? Usually no. So unless you have mounted some volume on your system, so tilde you can make be whatever a local path is. I don't know about remote, I guess probably only if it's mounted, but I guess it depends on the application and whatever's using tilde. So how to fix, we'll go back a little bit, how to fix these path vulnerabilities, right? If I specify the exact location bin cat, if I go back to my example and if I do bin cat notes hello world, I'll see that it works exactly right because the shell does not need to figure out what the cap, what the cat application is. I cannot just write over bin cat. Let's look at the privileges here. You're on this system, can you write to bin cat? If you could write to bin cat you could get me to execute code of your choosing. But it's owned by root and only root can write to it. We cannot write to it. Cool, okay, so one way to do this would be to specify the entire path to the executable that we want to execute. But now if we say, okay, let's go back to our original application, right? This application and man, this is really annoying, this output everything to the user. What I'm gonna do is I'm just gonna say my path is gonna be slash bin cat. And what I'm gonna do is say system path. Look, like I've gotten rid of, what is this? However long this function is and this open, like it's actually a very nice kind of engineering thing here, I'm pushing off a bunch of functionality from my application. I'm able to delete a bunch of code and I'm able to reuse some other application's functionality to output this file name, right? So bin cat dot slash notes and then the note. And in fact, what do you think? You wanna play with this a little bit? Let's write this application. Cool, okay. And I had to use Vim last time. Okay, this may take a little bit. Int main, okay. And argc, character pointer pointer. Ah, that's why I hate them. Okay, int main, int argc, character pointer pointer argv. Okay, so what I'm gonna do is, okay, what I'm gonna do is change the note to argv one. So this is how I'm getting it from the user. So getting the note from the user, right? So I'm getting the note and I'm gonna open up another terminal so I can make sure I have all my includes correctly and I wanna be a good programmer. So I'm gonna return zero. And then at the top, I am going to, man, sn printf, include standard io.h, standard lib.h, gcc test.c, and let's see, do I have notes? Notes, yeah. So if I do a.out, hello world, it should output hello world, right? It's telling me the exact program here. And so what is it doing, right? So let's actually look under the covers. So we use strace to trace the system calls that this is making. And there's a lot of stuff in here, like I think I said beforehand. So what is happening? It is eventually calling, oh, it's calling fork, right? So it's, we need to follow the child. Yeah, all right, trace child process. Okay, so dash f, okay. So it's forking a different process. And then in that different process, there we go. So it's calling execve with slash bin slash sh, right? So this is exactly what system is doing. So the system call first forks a different process, a child process. So the command ran to get the PIDs, I think is the dash f on strace. So this means follow when you have a fork, follow the child and print out all the system call traces from the child, which is what I wanted because I wanted to see this execve to see exactly what this is doing. So this is calling execve bin sh, sh dash c slash bin cat dot slash notes slash hello world, right? Cool, this all makes sense because we know, oh, we were actually looking at system here. Let's make it a little bit bigger. And we know that, I don't like the documentation there because this one's so much better. This is telling us that this is exactly what it's doing slash bin sh, sh dash c, and then the command name, right? So this is exactly what it's doing, bin slash bin sh, sh dash c. So this interprets it as if it was on the command line. This is why normally if we could mess with this like before when it was just cat, then we could mess with the path in order to have it execute a different cat. But here the programmer has very wisely said, okay, only execute bin cat, right? This is the only program that I'm gonna execute and then put their argument as the second argument here. So we can even, so the question is, what can we do with this? So again, the thing to remember is this is exactly as if dash c, it's doing bin cat notes hello world, right? So if we give it our program, our little a.out program, if we give it something like LS, it'll say there's no such file or directory dot slash notes LS, okay. But what can I do from here? So again, remember the really interesting part here is that now we have input from a user, the note, right? Test dot c, right? So this input comes from the user. The argument variable comes from the user. If we assume this is a set UID program, this argument comes from the user. It's being used in something and then being sent to system, right? So let's ignore there is a directory traversal here, but yeah, the question is, what other things can we do on a shell, right? So I can't use the path to trick it to execute a different program, but what if I did something like LS slash, so what did this do? What happened here? What is this output that I'm seeing? Put another way, were we able to trick a.out to execute something else? So yeah, the thing to remember is what does my shell do when it sees a semicolon, right? A semicolon is a way that I can do multiple commands on the same line, right? This is just LS three times. So what my shell does is it splits this up into two commands. It says, okay, first execute dot slash a.out LS. It tells me that there's no such file a directory and then it executes bin LS as essentially as me, right? So as my user, and so how can I get, so I need to tell the shell, don't interpret anything inside this string, just pass it actually as an argument. And we can actually see this if we do strace-f a.out with this, we can go back here and we can look at the, the execve command, which is here, right? So it's execve or we can even look at the, the execve bin shsh-c dot slash bin slash cat dot slash notes LS. So everything after that didn't even make it into the program, right? And so the way we can tell, there's two ways we can do it. We can use escapes so we can put a slash before the semicolon. That's one way to do it. Another way to do it is to put everything in quotes, which should tell our program, okay, pass this in as if it's argv one, this entire thing, don't interpret it as anything extra. So if we go in here, we look at the, execve, there we go, shsh-c slash bin cat dot slash notes LS, semicolon bin LS, right? So I've actually been able to, so here I was able to, if I get rid of the strace. So how can I see that this is actually executing by a dot out? Let's look. So what I will do for now, making sure that nobody else can execute it. Yeah, so I will use my pseudo powers to make a chown a dot out root root and pseudo chmod plus s. Not sure if that works. But that is wrong. Well, how do I do chmod? Anyone know, or set UIDD? Ah, U plus s, there we go. Cool, so now I have this very dangerous a dot out binary that's executable for everyone and is set UID. And I also double checked that this directory is only executable by my user, so you will not be able to execute this file even if you're on this server right now. So, oh, because I didn't put anything here, right? So here's the program as normal and it's running as root. So I could use this to, so now how can I prove that it's running as a different user, right? So let's look at our two different inputs so we can see. So if we do it without this, right? So when I run this, it's running user bin ID as my user, so it's running as the Ubuntu user. But now if I enclose this in quotes and pass this as an argument, where is the, oh, I know what's happening. Yeah, okay. So what's happening is, by default, the shell on modern Linux systems actually drops privileges. So if it's run as root, it will drop privileges. You have to do some special stuff in order to actually make that work. Dang, that was gonna be a cool example. But all of the, let's say, that's taken care of in all the assignments that it needs to be. But essentially now I can get this program to do anything that I want and execute any commands, right? So some people had other arguments. I could try piping, so a pipe is one way. I could try a back tick ID, maybe. The problem is I don't want it actually executing, so I think I need to put quotes, yeah. So here I was able to get it to execute a program. So yeah, so command injections, right? If an attacker can control a command that's passed there. Good try, not going to do that. Cool, so here's another type of example that's using a command to output a log file, so you can check this, and you can use this to access different files that only the root user should be able to access. So these type of vulnerabilities, again, command injection is another one that comes up all the time. Web applications can have command injections. And so there was actually a real, one of the coolest vulnerabilities is a vulnerability called shell shock, which was a bug in the bash binary that was used basically when you pass environment variables to another instance of bash, it could pass a function definition, and in a function definition, you could execute code. And so essentially, so for example, like with GitHub, right? You can access a Git server using SSH that has very limited access. You could use this to break out of that restricted shell, and you could do things like access different environment variables. Also, so CGI web applications, a lot of web applications automatically created variables, so you could get arbitrary code execution on a remote system just through one web request, and this actually affected a lot of machines. The crazy thing is that shell shock was actually vulnerable, like this bug was there for, I think, roughly 20 years and nobody found it. Like it was only through, finally, somebody stumbled on this code and was like, hey, why is it doing this, maybe this functionality could actually be used for code execution. So yeah, is a really interesting example of a type of code execution that's been around for a long, long time. Cool, so with that, we made a lot of ground on that, and when we get back, we will, next week, we'll talk about buffer overflows and all that fun stuff and cover roughly 180 slides. Cool, see y'all on the CTF on Thursday.