Professional Documents
Culture Documents
________________
Signature of Invigilator
_____________________ . .
Roll No Section Signature
II. We can compile the above program using the following commands (in the -lc argument, the
second character is l `):
IV. Finally, compile the following program myprog, and in the same directory as the above
dynamic link
library libmylib.so.1.0.1:
After you have done with the above steps, suppose you run myprog under the following
conditions and give the answer of the following four questions.
A. Make myprog a regular program, and run it as a normal user. What is the output of the
given program and explain how LD_PRELOAD environment variables influence the
output of the program? [3 marks]
B. Make myprog a Set-UID root program and run it as a normal user. What is the output of
the given program and whether LD_PRELOAD environment variables influence the output
of the program or not? If not, then explain why not. [4 marks]
C. Make myprog a Set-UID root program, export the LD_PRELOAD environment variable
again in the root account and run it. Now, what is the output of the given program and
explain how LD_PRELOAD environment variables influence the output of the program?
[4 marks]
D. Make myprog a Set-UID user1 program (i.e., the owner is user1, which is another user
account), export the LD_PRELOAD environment variable again in a different user’s
account (not-root user) and run it. What is the output of the given program and whether
LD_PRELOAD environment variables influence the output of the program or not? If not,
then explain why not. [4 marks]
Solution:
1): printf (“I am not sleeping! \n”); statement is executed instead of sleep (1); statement
because libc library is replaced with the dynamic link libmylib.so.1.0.1 library by
changing the LD_PRELOAD variable path such as % export
LD_PRELOAD=./libmylib.so.1.0.1.
2): sleep (1); statement is executed because now, the myprog program has the root
privilege by making myprog a Set-UID root program. We create a child process and the
child process is not inheriting the LD * environment variables. The LD_PRELOAD
variable path is not set to the dynamic link libmylib.so.1.0.1 library for the root user.
3): Now, the LD_PRELOAD environment variable is exported in the root account.
Therefore, printf (“I am not sleeping! \n”); statement is executed instead of sleep (1);
statement because libc library is replaced with the dynamic link libmylib.so.1.0.1
library by changing the LD_PRELOAD variable path such as % export
LD_PRELOAD=./libmylib.so.1.0.1.
4): In this case we make myprog a Set-UID user1 program and we do not set
LD_PRELOAD variable path to the dynamic link libmylib.so.1.0.1 library for user1.
Now, the myprog has user1 privilege if we run it from another user account that’s
LD_PRELOAD variable path is set to the dynamic link libmylib.so.1.0.1 library still,
it executes sleep (1); statement because myprog has user1 privilege and LD_PRELOAD
variable path is not set for user1.
Question 2 15 Marks
A. Whether or not this program performs a buffer overflow attack. If not, then find the problem
in the code and correct it. Explain how the buffer overflow attack is performed and what is
the output. [5 Marks]
B. There are various programs provided in the below Table. Highlight the vulnerabilities (if
any). Justify you answer with example. [10 Marks]
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
if(strcmp(buff, "thegeekstuff"))
{
printf ("\n Wrong Password \n");
}
else
{ There is a logic behind the output above.
printf ("\n Correct Password \n"); What attacker did was, he/she supplied an
pass = 1; input of length greater than what buffer can
} hold and at a particular length of input the
buffer overflow so took place that it
if(pass) overwrote the memory of integer ‘pass’. So
{ despite of a wrong password, the value of
/* Now Give root or admin rights to ‘pass’ became non zero and hence root
user*/ privileges were granted to an attacker.
printf ("\n Root privileges given to the
user \n");
}
return 0;
}
Question 3 15 Marks
The given source code has two vulnerabilities. First, foo has a buffer overflow vulnerability.
Second, bar has a format string vulnerability. You can assume that the program will be
compiled for a 32-bit, x86 system. When the foo is called, its RA is set to 0xAABBCCDD and
its old BP is set to 0x11223344. In addition, you can assume that all the countermeasures are
disabled.
#include <stdio.h>
foo(argv[1]);
bar(argv[1]);
return 0;
}
A. Write an input that will crash the program using format string vulnerability. An input that
will crash the program due to buffer overflow will result in no marks. [10 marks]
B. Write an input that will disclose the content of the secret variable? [5 marks]