Why does strace following a different execution flow?
https://stackoverflow.com/questions/10546782
-
07-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am referring the following article learning symbolic link attacks:
struct stat st;
FILE * fp;
if (argc != 3) {
fprintf (stderr, "usage : %s file message\n", argv [0]);
exit(EXIT_FAILURE);
}
if (stat (argv [1], & st) < 0) {
fprintf (stderr, "can't find %s\n", argv [1]);
exit(EXIT_FAILURE);
}
if (st . st_uid != getuid ()) {
fprintf (stderr, "not the owner of %s \n", argv [1]);
exit(EXIT_FAILURE);
}
if (! S_ISREG (st . st_mode)) {
fprintf (stderr, "%s is not a normal file\n", argv[1]);
exit(EXIT_FAILURE);
}
sleep (25);
if ((fp = fopen (argv [1], "w")) == NULL) {
fprintf (stderr, "Can't open\n");
exit(EXIT_FAILURE);
}
fprintf (fp, "%s\n", argv [2]);
fclose (fp);
fprintf (stderr, "Write Ok\n");
exit(EXIT_SUCCESS);
Now when the program sleeps I rm the arg[1] (using another terminal ) which is the file name and then create a symbolic link for the same file. When I executed as its said in the article I am writing to the file the link is pointing into.
Then I used strace passed the same arguments its giving me "cant open" which means that I dont have access to the file passed as arg[1]. But this is not the case when I executed normally how is strace detecting this ? Any help is very valuable.
I am writing my own application using ptrace to detect such attacks. I tried using inode numbers to detect this but my application is still referring to the inode number of the file which I am passing.
Solution
As discussed above, the binary was started with a suid flag (chmod u+s a.out). Since strace needs to watch the process, and can't do that if it's running as some other user, it will silently ignore s-bits.
Solution: In the shell window where the program is run, use the login/user-id that would be used without strace – given that you just did chmod u+s a.out as that user, it should be a safe assumption that you can log in under that account.
For completeness: To change your user id for a single shell window, just use su - otherlogin, replacing otherlogin with the log in name. (su = “switch user”)
