Security Challenge IV (Experimental)

h57xiucj2z946q

900913 wrote: »

On the main login/create account page I tried use the name root as my account.

I think it created a user root in the home directory "/home/root", but it wouldn't let me login to ssh.

I later patched that. Original root account wouldn't be over written anyway.

Sigtran

Thanks for the challenge :pac: Damo! Hope to see more of the linux type challenges ^;;^

h57xiucj2z946q

Sigtran wrote: »

Thanks for the challenge :pac: Damo! Hope to see more of the linux type challenges ^;;^

Maybe Solaris/FreeBSD/NetBSB/OpenBSD.

Sigtran

it might be harder to find something in a BSD, as its default is to not give access to anything... you might find yourself having to make a custom hole in the system... this would be more of a misconfiguration, leading to an attack, then an actual vulnerability based on the mainstream libs /etc (i dono much of BSD, as it is not my system of choice, so i could be wrong here)

dlofnep

Gobbles disagrees

syklops

f**k f**kity f**k f**k!

This sort of challenge I would have done well in and I missed it.

Sad Panda now.

h57xiucj2z946q

Might revive this one again with some added security :-P

dlofnep

I've an idea for a challenge also Damo. Just need to code it.

h57xiucj2z946q

dlofnep wrote: »

I've an idea for a challenge also Damo. Just need to code it.

Cool, what area are you thinking of?

dlofnep

Eleanor Flabby Trespasser wrote: »

Cool, what area are you thinking of?

Writing a flawed application that selected people would have to exploit. I could give GCC & GDB access via a shell.

h57xiucj2z946q

dlofnep wrote: »

Writing a flawed application that selected people would have to exploit. I could give GCC & GDB access via a shell.

Or let them download the binary?

dlofnep

Eleanor Flabby Trespasser wrote: »

Or let them download the binary?

That could be an option too!

h57xiucj2z946q

I did something like that for windows 2k a few years back
http://www.boards.ie/vbulletin/showthread.php?p=56624243

Its pretty good fun.

dlofnep

Do you fancy hosting that challenge again? I'd be interested!

h57xiucj2z946q

I could look into it. Conceited hosted it last time as he was running some war games on win2k.

dlofnep

Do you still have the binary? I'd be interested in just writing an exploit for it for the craic anyway, if you can't find someone to host it. You could just evaluate the code. It should be pretty evident if it works or not.

h57xiucj2z946q

Yeah its posted in this thread:

http://www.boards.ie/vbulletin/showpost.php?p=56619597&postcount=169

It should be exploitable on Win 2k SP0-SP4, Win XP SP0-SP3, although DEP on XP SP3 will make it a greater challenge. Not sure about Vista SP0.

dlofnep

Eleanor Flabby Trespasser wrote: »

Yeah its posted in this thread:

http://www.boards.ie/vbulletin/showpost.php?p=56619597&postcount=169

It should be exploitable on Win 2k SP0-SP4, Win XP SP0-SP3, although DEP on XP SP3 will make it a greater challenge. Not sure about Vista SP0.

I only have a windows XP VM. I'll install it on that and have a toy with it. I wouldn't worry about DEP.

dlofnep

Just to make sure - When I run the server, it terminates before it allows me to input a name. Is that normal?

h57xiucj2z946q

No, it should terminate after.

dlofnep

Hm... Keeps terminating beforehand here. At least with putty. I tried with telnet, and it terminates after a single character. I'm guessing that the buffer is larger than 1 byte.

h57xiucj2z946q

dlofnep wrote: »

Hm... Keeps terminating beforehand here. At least with putty. I tried with telnet, and it terminates after a single character. I'm guessing that the buffer is larger than 1 byte.

It is yeah. Try connecting with raw in putty. Seems fine with windows telnet also.

dlofnep

Ah yeah - works fine raw I'm on the case now.

dlofnep

Exploit coded for XP SP3. Pretty straight forward. Do you want me to send you on the code?

h57xiucj2z946q

You can yeah, but maybe in PM, as you will see why below. You handled DEP also or disabled it?

I was thinking of hosting this again (well would re-write the server again as I no longer have the code, but its only small, like a handful of lines of code.), and the attacker could use various tools out there to assist is building an exploit.

dlofnep

I didn't do anything with DEP. Default XP SP3 install. Will send it on in a PM.

h57xiucj2z946q

dlofnep wrote: »

I didn't do anything with DEP. Default XP SP3 install. Will send it on in a PM.

Strange, normally DEP prevents basic attacks, even in SP2.

h57xiucj2z946q

At first I thought your virtual machine wasn't supporting hard DEP through the NX bit (you can test with: http://user.cs.tu-berlin.de/~normanb/), but I have read more into it and it seems OptIn is the default configuration for Win XP, so this will only apply to some system binaries and services (in a challenge, this exe would be launched as a service, so I dunno if it applies to system services or custom ones?).




I think I will re-do this server, maybe change things around so the user will have to do more than a basic overflow with further tasks/thinking needed. That is, if there is interest for it.

dlofnep

Always interest in a security challenge Just keep the challenge so that it's do-able. I know alot of people might not have experience with buffer overflows.. so maybe start with a new one first, and then add a second part to it at a later date? That way, you can wean people into the challenges.

Just a thought.

h57xiucj2z946q

Setup and testing is all done. Part 5 should be up this evening all going well.