Nebula exploit exercises walkthrough – level02

level02

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

Another executable that calls system(). This time the command run is built up using an environment variable, USER.

Running the executable gives the expected result:

The executable is suid. Notice that although it calls system() and sets the setresgid()/setresuid() so that it runs as the owner of the file, the environment variable USER is still for the real UID, level02.

It’s really easy to change environment variables though.

This is a good reason to not trust environment variables for security purposes.

Aside

I didn’t fully understand why setresgid()/setresuid() had to be called for system() to run as the file owner. I built the same executable from source to experiment, set the owner, group and permissions as needed, but it didn’t work!

I spent a fair amount of time trying to figure this out, and it wasn’t until I did:

I was trying to run them out of /tmp/ and the whole directory doesn’t allow suid use…

One thought on “Nebula exploit exercises walkthrough – level02

  1. Permalink  ⋅ Reply

    mamvriti

    February 10, 2015 at 12:14pm

    Hi, I would like to ask something. Why system(…) in this problem works when you change USER variable but doesn’t work (error while compiling)when I just simply write it like system(“/bin/echo “;./echo;” is cool”) in c program? Thanks 🙂

Leave a Reply

Your email will not be published. Name and Email fields are required.