$2\mathrm{.}6$ Task $6$: The PATHEnvironment Variable and Set$-$UID Programs

Because of the shell program invoked, calling system$()$ within a Set$-$UID program is quite dangerous.

This is because the actual behavior of the shell program can be affected by environment variables, such as

PATH; these environment variables are provided by the user, who may be malicious. By changing these

variables, malicious users can control the behavior of the Set$-$UID program. In Bash, you can change

the PATH environment variable in the following way $($this example adds the directory $/$home$/$seed to the

beginning of the PATH environment variable$)$:

$ export PATH$=/$home$/$seed:$PATH

The Set$-$UID program below is supposed to execute the $/$bin$/$ls command; however, the program

mer only uses the relative path for the ls command, rather than the absolute path:

int main$()$

$\{$

system$("$ls$")$;

return $0$;

$\}$

Please compile the above program, change its owner to root, and make it a Set$-$UID program. Can

you get this Set$-$UID program to run your own malicious code, instead of $/$bin$/$ls$?$ If you can, is your

malicious code running with the root privilege? Describe and explain your observations.

Note: The system$($cmd$)$ function executes the $/$bin$/$sh program first, and then asks this shell pro

gram to run the cmd command. In Ubuntu $20\mathrm{.}04($and several versions before$),/$bin$/$sh is actually a

symbolic link pointing to $/$bin$/$dash$.$ This shell program has a countermeasure that prevents itself from

being executed in a Set$-$UID process. Basically, if dash detects that it is executed in a Set$-$UID process,

it immediately changes the effective user ID to the process$$s real user ID$,$ essentially dropping the privilege.

Since our victim program is a Set$-$UID program, the countermeasure in $/$bin$/$dash can prevent our

attack. To see how our attack works without such a countermeasure, we will link $/$bin$/$sh to another shell

that does not have such a countermeasure. We have installed a shell program called zsh in our Ubuntu

$20\mathrm{.}04$ VM$.$ We use the following commands to link $/$bin$/$sh to $/$bin$/$zsh:

$ sudo ln$-$sf $/$bin$/$zsh $/$bin$/$sh