Thursday, March 31, 2011

Linux and SETUID (SETGID, Sticky bit)

Every file in Linux has read, write and execute rights for the owner, group and others. Besides those attributes there are 3 extra attributes setuid, setgid and sticky bit.
1) The setuid attribute is meaningful for executable files. If this bit is set then the user ID would be set as that of the owner of executable rather than the current user. For example the sudo tool owner is root and the setuid bit is set on, and when another user run this program, it will be executed as root. If set off the setuid attribute, then the sudo tool will not work, because it will run as a normal user without root permissions.

 2) Setgid attribute is the analog to setuid, but for group ID.

3) In Linux sticky bit is meaningful for directories only(in old *nix systems it had another meaning also). If this bit is enabled on directory then the files in that directory may only be deleted or renamed by root or by their owner.

One more sample related to setuid

Tuesday, March 29, 2011

Arduino and Servo motors

Arduino has a Servo library which allows to control servo motors. Today we will use the following small servo motor and write a program, which read a angle value from Serial port and rotate servo motor according to it.
This is the source code of program

Compile and upload above code to Arduino, then connect control pin(gray wire) of Servo motor to Arduino pin 11, connect black wire to Gnd of Arduino and red wire to +5V. This is how it looks:

And this is a video demonstration of moving Servo 0 -> 90 -> 180 -> 0 -> 90:
video

Monday, March 28, 2011

Security bug in Ubuntu 10.10

Yes, Ubuntu also has security bugs. But this one can be used in the last steps of attacking. There are some requirements for this code to work. Attacker need to find a vulnerability in a process and run a shellcode and if that executable has CAP_SYS_ADMIN capability, then using this bug it can get root privileges.

To run this exploit download source from http://www.exploit-db.com/download/15944 and do the following steps:

How many G my car can pull?

In the previous article we study how to work with ADXL335 accelerometer. Today we will use it to measure car's acceleration. This is a sample program which get the values from sensor and send them through serial port to the computer. It measures every 20ms and do it 1000 times.

Now lets connect ADXL335 to the Arduino and then compile and upload the above code.
Sensor placed in such way that Z axis is directed to front of car.(You can see it in the picture, on top of red box).

I run the program, type something and press enter in the Serial Monitor and then drive as fast as possible and then brake the car. Copy the values to the Google Docs Spreadsheet and create a chart for the values of Z axis (in which direction the acceleration occurs). But before creating charts lets understand how those numbers map to the real acceleration values in g. The Z axis can be directed downward and measure value (+1g), then direct it upward and measure again(-1g) and taking account that the measured values dependance on acceleration is linear, calculate which value correspond to 0g and which interval correspond to 1g interval. I get following results (approximate results)
    0g --  355
    1g interval -- 70 interval
The measured values also contain a lot of noise, so we need to filter out them.

This is unfiltered chart: Z_i


This is filtered and converted to G chart: ((Z_i + Z_i+1) /2 - 355) / 70


This is filtered(another filter) and converted to G chart: ((Z_i + Z_i+1 + Z_i+2) / 3  - 355) / 705

In the above chart you can see the shift of gear from 1 to 2 and then brake. After car stops and acceleration is 0.

Friday, March 25, 2011

ASLR and Linux personality syscall

In the previous article we talk about ASLR and how to disable it. There was a way to disable ASLR for a single process using setarch command. Now we are going to understand how setarch command do that. Lets use strace command to trace all system calls of setarch command with and without -R option

There are a lot of differences, because of the ASLR: In the log there are a lot memory addresses and they will be different. Now lets disable it for all processes and then do above steps again to filter out memory differences.
Now we see that there is a system call named personality. It is difficult to understand from the man personality what this syscall actually do. So we can get a information from include file of personality syscall(in case of Ubuntu 10.10 it located at /usr/include/sys/personality.h). Here it is:
There is enum ADDR_NO_RANDOMIZE equal to 0x0040000 which passed in as an argument in personality in above difference logs. So we understand that we can disable the process's ASLR by calling personality syscall with ADDR_NO_RANDOMIZE argument. Lets modify the program from previous article and check is this works.
Enable ASLR by echo 2 | sudo tee /proc/sys/kernel/randomize_va_space. Run above code twice and when they wait for input, dump the memory maps (get pid from htop and then cat /proc/pid/maps) and compare them: it works, the maps are the same. You can also comment out the line containing personality and get different memory maps.

Address space layout randomization (ASLR)

ASLR is a technique which randomly arranges the libraries, heap, stack and other pages in the memory in random positions. This technique designed for standing against security attacks. If the ASLR is disabled, the memory addresses of libraries and the stack are predefined, so the vulnerable codes(shellcodes) can use these information and directly call library functions. To check if the ASLR is enabled in the system we can run some program twice and compare memory maps.

The memory positions are different, that means the ASLR is enabled. From the debugging point of view it sometimes distrurbs and we need to disable it. There are 2 ways(known to me) to disable ASLR.
1) Disable ASLR using setarch command


2) Disable ASLR for entire system

Thursday, March 24, 2011

ptrace -- Linux system call

In the previous article the strace command observed, today we are going to understand how the strace tool works and write a simple system tracer program to trace system calls of ls program.
At first let strace the ls program
    strace -o ls.strace ls

To know which system calls the strace uses lets run it on itself. 
    strace -o strace.strace strace ls

As we can see the strace use a lot of system calls, but the one of them (ptrace) appears a lot in the log. The ptrace provides a means to get information from the child process (see man ptrace).The following simple program uses the ptrace to trace system calls of ls program



We also need to know the names of system calls by their syscall number. We can extract that information from the sources of strace. The file "strace-4.6/linux/x86_64/syscallent.h" contains the information that we need, we can parse it and get the list of system calls arranged by syscall number (see the instructions in the sources).

Wednesday, March 16, 2011

Strace -- tool for system call tracing

For tracing system calls of a program, there is a "strace" command in Linux. This program comes with the most of Linux distributions. If it is not present in your system, you can download it from http://sourceforge.net/projects/strace/, build and install.
Lets try run the hcidump and see which system calls it use:
    sudo strace -o output hcidump -i hci0
Do some bluetooth related things(search a device) and see the output file

As we can see, hcidump uses socket related system calls(socket, bind, recvmsg and etc...) for getting bluetooth data, ioctl system call(for controlling bluetooth device), write system call (guess why :-) ), poll system call (which used for waiting for a socket IO events).
There is "-e trace=" option, which trace only specified set of system calls, for example
    sudo strace -o output -e trace=socket,write,poll hcidump -i hci0
will trace only system calls socket, write and poll.

And at last there is a good syntax highlighter in the "vim" for strace's output
(In the case if vim doesn't automatically enable it -- :setf strace).

Sunday, March 6, 2011

Bug in hcidump

Try to run the following command:
  $ sudo hcidump -i aaa
Instead of giving an error that there is no device with a name "aaa", hcidump uses the "hci0" device. The first thing that comes to mind is maybe hcidump uses "hci0" device by default if the specified device not found, but when I try to run the following:
  $ sudo hcidump -i aaa123
It gives an error:
  Can't open device: No such device
So what is the reason of such behavior. To find out it, I review the argument parsing part of the source code (as hcidump is open source) and find out the following.
To download the source code of hcidump (version 1.42, used in Ubuntu 10.10) 
  $ git clone git://git.kernel.org/pub/scm/bluetooth/bluez-hcidump.git  # get the sources
  $ git checkout -b new 1.42                                    # get the version 1.42

The code of input arguments parsing is located in file "src/hcidump.c" starting at line 1002. The device name's parsing code is located between 1004 1010 lines:


As you can see the reason of the unusual behavior is in the following line:
    device = atoi(optarg + 3);
which didn't check the correctness of input (work for "hci[0-9]" like names only).

Thursday, March 3, 2011

How to build the latest hcidump.

In the previous article the "hcidump" was used for dumping bluetooth protocol packets. The binary package of "hcidump" is exists for Ubuntu and other widespread Linux distribution, but what about other distributions. For them we need to compile and install it from sources. So the following instructions will be useful:

1)Download the source code from the official site or checkout sources from repository. We will choose the second one, because it contains the latest patches and changes (sometime new bugs :( also ). "hcidump" uses Git source control system, so the git package is needed (Ubuntu: sudo apt-get install git). To check-out the sources run the following
$git clone git://git.kernel.org/pub/scm/bluetooth/bluez-hcidump.git

2)Enter "bluez-hcidump" directory. Now you need to configure the sources and then build them. It uses GNU build system, so we need to follow standard steps.
GNU build system(source: Wikipedia).
Before compiling ensure that you have the latest "BlueZ" library installed.
Steps: 
$ aclocal                                     # Generate "aclocal.m4" file
$ autoheader                              # Generate "config.h.in"
$ autoconf                                  # Generate "configre" file
$ automake --add-missing          # Generate "Makefile.in" file and add missing files
$ ./configure                               # Configure
$ make                                        # Build hcidump
$ make install                             # Install

Now you have the latest hcidump tool.