LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 12-09-2011, 09:46 AM   #1
eric.frederich
LQ Newbie
 
Registered: Mar 2007
Posts: 5

Rep: Reputation: 0
Faking uids


Is it a security problem that I can trick applications into thinking I'm someone else by using LD_PRELOAD to load a library that overrides getuid and geteuid?

I found this trick to work on a 3rd party application that lets you log in without a password if a username exists in the system that matches the OS's username.

This trick however does not work, for example, when using ls trying to see the contents of a folder with permissions 700.

So is there a better way for applications to tell who is running them than to trust the value returned from getuid (as it can be overridden)? I'd like to report the problem to the application vendor with a suggested fix.

Thanks,
~Eric
 
Old 12-09-2011, 10:48 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by eric.frederich
Is it a security problem that I can trick applications into thinking I'm someone else by using LD_PRELOAD to load a library that overrides getuid and geteuid?
I'd say any mechanism that allows you to authenticate as someone you're not represents a security problem.

Quote:
Originally Posted by eric.frederich
So is there a better way for applications to tell who is running them than to trust the value returned from getuid (as it can be overridden)? I'd like to report the problem to the application vendor with a suggested fix.
At this point I'm mainly curious about why your "workaround" is effective on the third-party app only. Have you tried writing a simple program to confirm that getuid() and geteuid() are tricked in this way?
 
Old 12-09-2011, 11:03 AM   #3
MTK358
LQ 5k Club
 
Registered: Sep 2009
Posts: 6,443
Blog Entries: 3

Rep: Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713
Quote:
Originally Posted by eric.frederich View Post
Is it a security problem that I can trick applications into thinking I'm someone else by using LD_PRELOAD to load a library that overrides getuid and geteuid?
I'm not sure what you mean. You can create a fake library that tells the application that it's running under a different user account, but that doesn't mean that's it's actually running under that account as far as the OS is concerned.
 
Old 12-09-2011, 11:12 AM   #4
eric.frederich
LQ Newbie
 
Registered: Mar 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anomie View Post
At this point I'm mainly curious about why your "workaround" is effective on the third-party app only. Have you tried writing a simple program to confirm that getuid() and geteuid() are tricked in this way?
Sample program: test.c
Compile with gcc -o test test.c

Code:
#include <stdio.h>
#include <unistd.h>

int main(int argc, char* argv[]){
    printf("Hello %d\n", getuid());
    return 0;
}
Wrapper: runas.sh
Compiles a library overriding getuid and geteuid, puts it in LD_PRELOAD, and then runs a command.
Example: ./runas.sh johndoe ./test

Code:
#!/bin/bash

THE_USER=$1
THE_UID=`id -u $1`

echo "The User: $THE_USER"
echo "The UID : $THE_UID"

cat << 'EOF' > /tmp/libbecome${THE_USER}.c
int geteuid() {
   return FAKE_UID;
}

int getuid() {
   return FAKE_UID;
}
EOF

gcc -DFAKE_UID=`id -u $THE_USER` -shared -fPIC -o /tmp/libbecome${THE_USER}.so /tmp/libbecome${THE_USER}.c
rm /tmp/libbecome${THE_USER}.c
export LD_PRELOAD="/tmp/libbecome${THE_USER}.so"

shift 1
$*

rm /tmp/libbecome${THE_USER}.so
 
Old 12-09-2011, 11:15 AM   #5
eric.frederich
LQ Newbie
 
Registered: Mar 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by MTK358 View Post
I'm not sure what you mean. You can create a fake library that tells the application that it's running under a different user account, but that doesn't mean that's it's actually running under that account as far as the OS is concerned.
Exactly. This would be why I can't use this trick to run the ls command on a directory I don't have access to... because I'm not fooling the OS.

I am however, fooling the application and I'm wondering if there is a better way for the application to check the ID rather than just trusting the returned value of getuid.
 
Old 12-09-2011, 03:07 PM   #6
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
Use syscall 24 directly ?
Code:
#include <stdio.h>

int main()
{
    int uid;

    __asm__ ("mov $24, %%eax;"
        "int $0x80;"
        "movl %%eax, %0;"
        : "=r"(uid));
             
    printf("uid: %i\n", uid);
    return 0;
}

Last edited by Cedrik; 12-09-2011 at 03:10 PM.
 
Old 12-10-2011, 07:32 AM   #7
eric.frederich
LQ Newbie
 
Registered: Mar 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks Cedrik

That worked. I'm assuming this fix is for x86 Linux only?

Is it foolproof? Is there no way to override this syscall?
 
Old 12-10-2011, 07:43 AM   #8
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
yes it's for x86 Linux only.
You could make kernel module to fool syscalls, but it requires root privileges to insert module
 
Old 12-10-2011, 10:03 AM   #9
SigTerm
Member
 
Registered: Dec 2009
Distribution: Slackware 12.2
Posts: 379

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by Cedrik View Post
Use syscall 24 directly ?
Good one. But isn't it still possible to bypass this by debugging program being launched?
It looks like there are routines for attaching to process, debugging it and modifying its memory.
 
Old 12-10-2011, 11:08 AM   #10
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
You could also just run it in a VM. The app can always be fooled by just being able to obtain a copy of it. The OS can't without root/physical access.

Your app really need only trust what the OS/launch environment is telling it. If the binary itself contains some secret and a malicious user gets a copy of it to run so as to trick it to reveal the secret when running, they can also just extract the secret without usual execution. If it's an app that accesses some secret stored elsewhere, it's just a client, and you defer to server-side authentication.

Last edited by Proud; 12-10-2011 at 11:11 AM.
 
  


Reply

Tags
permissions, uid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
faking a file.. wrongman Linux - Software 3 03-20-2005 12:12 PM
Faking the name of a cd brainlesspinkey Linux - Software 5 07-29-2004 03:12 PM
IP address faking Vaish Linux - Networking 8 05-17-2004 12:25 PM
Help with UIDs please :) gponto18 Linux - Newbie 5 10-22-2002 02:29 PM


All times are GMT -5. The time now is 05:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration