Top Banner
Race Condition Yajin Zhou (http://yajin.org ) Zhejiang University Credits: SEEDLab http://www.cis.syr.edu/~wedu/seed/
14

Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Oct 11, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Race Condition

Yajin Zhou (http://yajin.org)

Zhejiang University

Credits: SEEDLab

http://www.cis.syr.edu/~wedu/seed/

http://yajin.org
http://www.cis.syr.edu/~wedu/seed/
Page 2: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

A vulnerable Set-UID program

Page 3: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

A vulnerable Set-UID program

• Access -> check real user id

• Open-> check effective user id

• That’s the reason why we need access before open

Page 4: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

How to attack

Page 5: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 6: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 7: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

• X->password is stored /etc/shadow

• No x -> password is in /etc/passwd

Page 8: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Attack_process.c

Page 9: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Target_process.sh

Page 10: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Target_process.sh

Page 11: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 12: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 13: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Defense

• Atomic operation

• If we can have an option to tell open to use real UID (instead of

effective UID)

• Sticky protection

Page 14: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Defense

• Least privilege


Related Documents
Check in Check out (CICO)

Check in Check out (CICO)

Category: Documents
INTRODUCTION CHECK IN/CHECK OUT

INTRODUCTION CHECK IN/CHECK OUT

Category: Documents
An Analysis of the AnserverBot Trojan · 2011-09-26 · An Analysis of the AnserverBot Trojan Yajin Zhou, Xuxian Jiang September 25, 2011 1 Introduction On September 19, 2011, NetQin

An Analysis of the AnserverBot Trojan · 2011-09-26 · An....

Category: Documents
Check In / Check Out

Check In / Check Out

Category: Documents
Check Nbr Payee Check Amount Check Date Stmnt Date 34243 A ...

Check Nbr Payee Check Amount Check Date Stmnt Date 34243 A.....

Category: Documents
Harvesting Developer Credentials in Android Apps Yajin Zhou, Lei Wu, Zhi Wang, Xuxian Jiang North Carolina State University Florida State University Qihoo.

Harvesting Developer Credentials in Android Apps Yajin Zhou,...

Category: Documents
Go! check it out check it out check it out check it out ...cloud.media.wenatcheeworld.com/uploads/epaper/2013/09/12/ww... · check it out check it out check it out check it out check

Go! check it out check it out check it out check it out...

Category: Documents
Operating System Services & Structures - Yajin · Operating System Services (User/Programmer-Visible) • User interface • most operating systems have a user interface (UI). •

Operating System Services & Structures - Yajin · Operating...

Category: Documents
CBRE RESEARCH | CEE & SEE WORKING FROM HOME SURVEY 2020 · 5/15/2020  · like this and that’sthe main reason why CBRE Research conducted a survey to better understand the perception

CBRE RESEARCH | CEE & SEE WORKING FROM HOME SURVEY 2020 ·....

Category: Documents
Check-In Sheet - Check-In and Warm-Up · CHECK-IN AND WARM-UP / PSYCHOEDUCATION: FEELINGS Check-In Sheet Check-In Sheet. Title: Check-In Sheet - Check-In and Warm-Up Created Date:

Check-In Sheet - Check-In and Warm-Up · CHECK-IN AND...

Category: Documents
D D eheeé Sheet cm CHECK.I CHECK.2 CHECK.3 CHECK.4 … · CHECK.2 CHECK.3 CHECK.4 CHECK.5 CHECK.6 CHECK.7 CHECK .8 CHECK.9 cm CHECK.IO 'J —7 > MEMO cm cm cm . Author: admin Created

D D eheeé Sheet cm CHECK.I CHECK.2 CHECK.3 CHECK.4 … ·....

Category: Documents
Check, check, dubbelcheck

Check, check, dubbelcheck

Category: Documents