title: privilege-separation

date: 2016-01-12 14:40:04

categories:

tags:

• Exercise1
  
  In order to gain deeper understanding of the internal architecture of the Touchstone web server,
  
  let’s use gdb to debug the banksv service.First, launch the server:
  
  $ ./touchstone
  • now use gdb to attach to the banksv service:

	ps -a

	PID    TTY    TIME       CMD

	5583  pts/0 00:00:00  touchstone

	5584  pts/0 00:00:00  filesv

	5585  pts/0 00:00:00  banksv

	5586  pts/0 00:00:00  httpd

	5771  pts/1 00:00:00  ps

	gdb -q

	attach 5585

	b Handle_post

	Breakpoint 1 at 0x80d0a2f:file handle.c,line 74

	set follow-fork-mode child

	c

	Breakpoint 1,handle_post(uri=0xbfeac5a8 "/",fd=6)

	at handle.c :74

	74 char *info="HTTP/1.1 200ok \r\n\r\n";

	n

	75 Body_t *b=getBody(&num);

	n

	77 char *name=b[0]->value;

	n

	78 char *pwd=b[1]->value;

	n

	80 char *type=b[num-1]->value;

	p name

	$1=0x8f894f0 "abc"

	p pwd

	$2=0x8f896f8 "123"

	n

	82 init_db();

	s

	init_db() at ./sql_lite3/sqlhelper.c :32

	32 if(open_db()==syccess){

---

• Exercise2
  
  Finally, you will write some code. Extend the current sqlite3 user table, to add more information.
  
  For instance, you can add time and IP address to the user table, so that when one user has logged
  
  in, the web page can display the last login time, the current login address, etc.. You may
  
  want to read some sqlite3 documentations.

• Firstly, we pass the value of client_addr to httpd process though by executing
  
  write( disp_fds[1], inet_ntoa(client_addr), 50 ).
  
  And in httpd process, as a hub, we receive this value.
  
  Then we send this value to filesv and banksv processes respectively according to pipefd descriptor.
  
  So that, we can process this address to the browser.

• Why we don't send it to filesv and banksv directly ?
  
  It is just a pity that the server has shut down these descriptors before new client coming...

• Secondly, we should add additional fields for the user table.
  
  One is the ip_addr, the other is last_time(which can record the last login time).

• Before modifying user table, we should drop it because some datas has existed in the user table.
  
  In order to get and update the last login time and last ip address, two functions need to be implemented.

  • As follows :

    void getLastState( const char * u_name,
  
      const char * u_passwd,
  
      char * last_ip_addr,
  
      char * last_time ){
  
      if(open_db()==SUCCESS){
  
    		 char sql[1024];
  
    		 sprintf(sql, "SELECT ip_addr,
  
    		 time from user WHERE name = '%s' AND passwd= '%s' ",
  
    		 u_name, u_passwd);
  
       int row,column;
  
       char **result;
  
       char *errorMsg;
  
       if( sqlite3_get_table(db, sql,
  
    					&result,
  
    					&row,
  
    					&column,
  
       &errorMsg)==SQLITE_OK ){
  
    		 strcpy( last_ip_addr, result[2] );
  
    		 strcpy( last_time, result[3] );
  
    	 }
  
    	 else printf("getLastState error!\n");
  
    	 sqlite3_close(db);
  
       }
  
       else{
  
    	 if(DEBUG)
  
    	   printf("open failed![%s]\n",sqlite3_errmsg(db));
  
       }
  
    }
  
    void updateLoginState( const char * u_name,
  
    		const char * u_passwd,
  
    		const char * ip_addr,
  
    		const char * datetime ){
  
      if(open_db()==SUCCESS){
  
    	char sql[1024];
  
    	sprintf(sql,
  
    		"UPDATE user SET ip_addr = '%s',
  
    		time = '%s' WHERE name = '%s' AND passwd = '%s' ",
  
    		ip_addr,datetime,u_name,u_passwd );
  
    	 handle_db(db,sql);
  
    	 sqlite3_close(db);
  
       }
  
       else{
  
    	 if(DEBUG)
  
    	   printf("open failed![%s]\n",sqlite3_errmsg(db));
  
       }
  
    }
  

---

• Exercise3
• Modify the code snippet in the browser.c to send a constructed HTTP request
  
  to the web server to visit /etc/passwd file.
  
  That is, you can read that file remotely.
  
  修改browser.c文件中的char *req 构造请求字符串 访问/etc/shadow文件

   char *req="GET ../../etc/shadow HTTP/1.1\r\n\r\n";
  

---

• Exercise4
• Add some code to the server.c to add chroot support.
  
  Change root directory from / to /jail .
  
  After this, you can compile and run the new web server:
• jails

  chroot("/jail")

  再次访问访问/etc/shadow文件

  发现文件不存在

---

• Exercise5
• Modify your browser code to inject some shell code the server.
  
  Your shell code attack the httpd daemon and unlink the file /db/users.db.
  
  Using ret-to-libc attack can make this a little simpler.

   ebp+4 system地址
  
   ebp+8 exit地址
  
   ebp+12 rm db/users.db地址
  

---

• Exercise6
• Modify the function in the file server.c , to set up the user and group IDs properly
  
  when services are launched. Think carefully about how your code can set the user and group IDs by
  
  setresuid()、setgroups()、setresgid().
• Set file and directory permissions to ensure that the static service
  
  cannot read the database files from the dynamic service, and vice versa.
  
  Try to modify the chroot-setup.sh to set the permission for different files.