Nebula - level01

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

Source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Solution

From the system(3) man page, system should not be used in a program that sets UID values. The reason for this stems from the fact that a malicious user may set environment variables to other values, permitting nefarious actions to “subvert system integrity”.

Examining the line

system("/usr/bin/env echo and now what?");

note that there are three “tokens”, or distinct processable parts of the string: /usr/bin/env, echo, and and now what?. Of these, the echo token uses a relative path in order to load. To subvert this, modify the PATH variable (i.e. PATH=~/exploit:$PATH) to include another directory. In this directory, create a file named echo with the contents /bin/bash. Export the new PATH variable, and then run the program. Note that the shell prompt changes from level101@nebula:... to flag01@nebula:....