C: IFS System() Vulnerability

Question

For educational reasons I have to exploit an C-Code

The Programm set the egid first, and then the vulnerability with the system("/usr/bin/..."); Command.

So I made an 'usr' executeable in my Home-Directory and set the Path to the Home PATH=$HOME:$PATH

And I want to change the IFS Variable in the bash to /: export IFS='/'

Unfortunatelly, when i call the C-Programm: my exploit doesn't work

Is anybody able to tell me what is wrong?

Answer 1

I suppose we are studying at the same university, because I am currently confronted with the same problem. I don't want to give you the whole solution, because that would be too easy =)

Your IFS variable is not ignored, but it doesn't work as you might think. When you call the C-Programm there is an additional output in the shell, which refers to the lesspipe. With the information in this link and this german link you are able to solve the challenge1 ;)

Answer 2

Add the IFS as part of your program's call to system(). System executes the code with /usr/bin/sh -c. So you can do similar to what you'd in the shell prompt.

system("export IFS='/'; /usr/bin/cmd");

Note that once the child process is terminated, the IFS set will no longer be available in the parent.