9/21/07
Problem Set -=20
II
(Due at =
the beginning=20
of class on 10/2/07)
CS G254/U645 Network Security
This =
problem set will=20
be graded out of 40 points. It will count for 8% of your final grade =
This =
assignment will=20
be done in teams of two students each. Once you have decided who you =
want to=20
pair up with, email the TA (San Tan, tansan@ccs.neu.edu) with the =
names of your=20
team members and he will assign you a team number and give you a =
password as=20
well (it is the same password for windows and Linux).
Each group =
owns two=20
virtual machines: one is a preinstalled Windows 2003 Server OS, and the =
other=20
one is a preinstalled Linux Fedora Core 4. Your Linux machine is called =
routerX (X is your group number), and the Windows =
machine is=20
called serverX. Read appendix for additional =
information.
How to connect to your Windows=20
machine?
Use Windows Remote Desktop =
Connection (RDC).=20
Group 1-15 should use IP address 129.10.120.131; group 16-30 should use =
IP=20
address 129.10.120.132. Port number is 3800+your group number.
Example: if you are in group 1 =
and have=20
a Windows XP computer on hand, click start =E0=20
all programs =E0=20
Accessories =E0=20
Communications =E0=20
Remote Desktop Connection in sequence. In the popup window, type 129.10.120.131:3801; then =
click connect button. User name: Administrator.
NOTICE: LOG OFF serverX (the Windows virtual machine) before =
closing the RDC=20
window. DO NOT turn on the firewall on serverX otherwise you will be =
unable to=20
log in the next time (if you do turn on the firewall then you need to =
open up=20
the RDC port, tcp3389). =
Each Windows 2003 server can =
support only 2=20
concurrent RDC sessions, because of a license limit. So if you close the =
RDC=20
window without logging off serverX, twice, =
then you=20
are effectively locked out (DO NOT DO THIS). At that point you will need =
to=20
contact the TA to reset the machine =96 this will not endear you to the=20
TA.
How to connect to your Linux=20
machine?
Use SSH. =
Group 1-15=20
should use IP address of 129.10.120.131; group 16-30 should use IP =
address of=20
129.10.120.132. Port number is 2200+your=20
group number.
Example: if you are in group =
1, type=20
ssh -l root =96p 2201 =
129.10.120.131=20
in Linux shell, or use SSH Secure Shell under Windows =
(Host name:=20
129.10.120.131; User name: =
root; Port number: 2201).
Submit the summary of what =
you did in=20
the lab in the following format:
Task:=20
Task1
Description:=20
Description
Names:=20
Names of students that worked on this task
Time:=20
Time it took to finish the task
Problems:=20
Problems (if any) encountered
Example:
=20
=85
=20
Task: Linux HTTP server
Description:=20
Setting up HTTP server on RedHat Linux: =
configuring=20
web root, creating a welcome index.html page
=20
Names: John Smith and Peter Wall
=20
Time: 1 hour
=20
Problems: could not see the correct index.html, but then fixed =
the=20
problem
1) Microsoft Windows 2003=20
Server
a) =20
Set up web root on your machine. Put =
something on=20
the index page of your HTTP server (like names of team members, class, =
etc.).=20
Open up the web browser and make sure that HTTP server is running and =
displays=20
correct index page. [5]
b) =20
Set up your FTP server: create user name, =
set=20
password, ftp root directory, make sure it is set to restart on reboot, =
etc.=20
[5]
2) Linux
a) =20
Apache Web Server is preinstalled on your =
Linux=20
machine. Check configuration file=20
(/etc/httpd/conf/httpd.conf). Set up =
web root=20
on your machine. Put something on the index page of your HTTP server =
(like names=20
of team members, class, etc.). Open up the web browser and make sure =
that HTTP=20
server is running and displays correct index page. Make sure it is set =
to=20
restart on reboot. [5]
b) =20
Go to www.ccs.neu.edu/course/csg254/local/linuxvm/vsftpd-2.0.3-1.i38=
6.rpm=20
and download the rpm, =
using lwp-download command and install =
it (rpm =96Uvh=20
vsftpd-2.0.3-1.i386.rpm). Set up your FTP server: create user name, =
set=20
password, ftp root directory, make sure it is set to restart on reboot, =
etc.=20
[5]
TIPS: =20
service/process names of http and ftp are httpd=20
and vsftpd respectively.
TIPS: To test that your ftp/web servers are =
working=20
fine, you can
1. =20
test the Linux web/ftp servers from your =
Windows=20
machine and
2. =20
test the =
Windows web/ftp=20
servers (since the linux machine does not =
have=20
x-windows), by logging into and testing from server1 (group 1-15) or =
server30=20
(group 16-30) with account name groupX (password is =
same as you=20
use to access your router/server). But remember that only two RDC =
sessions are=20
allowed at the same time. If you are unable to connect to server1 (or =
server30)=20
after repeated attempts then let the TA know.
3)=20
Buffer Overflow=20
Continued
You will do =
this=20
assignment on routerX, Linux Fedora Core =
4.
a) =20
Login as root and create a user. Then, =
login as=20
user and create a file, lowercase.c (from =
Problem 4 of=20
Problem Set I). Compile the program (using gcc =96g =96o lowercase lowercase.c), then run it and find an input =
string that=20
will make the program crash. Run a debugger (gdb for example) and =
run the=20
program to the point just before the crash. Find the memory address of =
buf variable (print &buf). Now run the program to the completion =
with the=20
input that causes it to crash. Find out the current value of the =
registers (info registers). Can you =
overwrite the=20
value of some registers? Explain the purpose of each register that you =
can=20
overwrite. Please include snippets of your debugging output with =
explanations.=20
[4]
b) =20
Change the owner of executable lowercase to root using chown. You need to login as root to do so. You can login =
to root from user=92s shell using =
su command. After changing the owner of =
the=20
executable file =93lowercase=94, execute=20
the command
chmod u+s=20
lowercase
Come out of =
root=92s=20
shell.
What=20
permissions do you see for this executable now? Why would such =
permissions be=20
needed? (see=20
note below for help) [4]
c) =20
Change the files /proc/sys/kernel/randomize_va_space and =
/proc/sys/kernel/exec-shield and put=20
0 in them. You may use echo 0 =
>=20
filename to do this. Again you will need to login as root to do =
this. Use=20
su command.=20
Come out of root=92s shell after setting the values. This is to disable =
stack=20
protection. Note =
that if your=20
system is ever rebooted, the stack protections will be re-enabled by =
default.=20
You need to disable this again.
Look=20
at the code of exploit3.c described in the =
article from=20
problem set I. Make sure that you understand what =
is=20
going on. Compile this code on (gcc =96g =96o exploit exploit.c) and see if you can use it to =
gain the=20
shell with root privileges. What parameters can you play with? [4]
d) =20
Please include the code for your exploit =
(even if=20
unmodified) with the comment on each line of what the instruction on =
that line=20
is supposed to do. [4]
e) =20
Describe how you would make the code from =
lowercase.c secure to buffer overflow attacks. =
What is the=20
danger of installing any code as suid root? =
Would the=20
code, lowercase.c, referred to in part a) =
above need=20
high privileges? Give an example where an application has to have such=20
privileges. Describe a possible solution to securing your system against =
buffer=20
overflow attacks. [4]
(Just for =
fun you can=20
try the same exploit on a different, i.e. later than Fedora Core 4, =
Linux system=20
and see what results you get there.)
Note: On UNIX systems, a SUID =
(Set User=20
ID) file will run with the privileges of the file's owner and not with =
the=20
privileges of the user who is actually executing the file. For example =
the passwd command allows users to change their =
passwords, thus it has to have write access to the system password file=20
(/etc/passwd on most systems). This =
file should=20
only be modified by privileged users. Look at the file permissions of =
/usr/bin/passwd on a unix system
ls -all /usr/bin | grep =
=93passwd=94
You will see something =
like:=20
-r-sr-sr-x 1 root root 21964=20
Dec 6=20
00:11passwd.=20
The=20
's' in =
place of=20
'x' in user permissions tells you that this file is SUID. If an =
unprivileged=20
user executes this file it will run with root privileges. To give your =
program=20
such permissions, as a superuser compile it =
and=20
do:
chmod u+s myexecutable
APPENDIX: =20
What the internal =
network looks=20
like
![](3D"ProblemSet-II_files/image002.jpg")
For safety, the gateway enforces some forwarding =
rules. For=20
example, you cannot ssh to=20
denali.ccs.neu.edu from your Linux machine. But HTTP/SSL works fine.=20
129.10.120.131/132 is not the IP address of your machines; it=92s the =
external IP=20
address of the gateway. The gateway maps different ports of =
129.10.120.131/132=20
to different internal machines.
Each group(X) owns a small network (10.0.X.0/24). =
Your Linux=20
machine is called routerX, and your Windows =
machine is=20
called serverX. Domain name is =
nslab.ccs.neu.edu.
For example, the Linux machine of group 1 is called =
router1.nslab.ccs.neu.edu, the Windows machine of =
group 1 is=20
server1.nslab.ccs.neu.edu. The gateway implements simple DNS so you =
should be=20
able to do, e.g. ping=20
server1.nslab.neu.edu once inside your network.
Notice: machines owned by group 1-15 forms one =
intranet, and=20
machines owned by group 16-30 are in another intranet. Because the =
gateway won=92t=20
route packets between two intranets, machines of group 1-15 cannot see =
the=20
machines of group 16-60 and vice versa.
TIPS: use route command on your router =
to display=20
routing table.