Lab: PwnKit

Goal

Step 3: Technical Background.

• Pwnkit exploits a programming error in the polkit authorization manager package.
  • Read the first few paragraphs of the manual for polkit. man polkit.
  • This is a sort of graphical equivalence of the sudo command.
  • The command that is exploited is pkexec
  • Read the first part of the man page for this program.
• Try pkexec
  • As alice type pkexec /bin/bash
  • This will ask for Bob's password (bob)
  • The program will start a shell as root.
  • Convince yourself that this is a root shell.
  • Log out.
• When everything works correctly, you are required to provide the password of an authorized user to run a program as root using pkexec
• We need to learn a little more about programs.
• Command line arguments.
  • Parameters can be passed to C/C++ program's main function.
    • The first is an int normally called argc.
      • This stands for augment count.
      • This is supposed to be the number of command line arguments passed.
      • It is normally at least one as the name of the program is usually passed as the first argument.
    • The second is an array of c-style strings.
      • The type is char * []
      • It is sometimes written as char **
      • It is normally called argv, argument value.
    • A third parameter is the environment
      • We will work with the environment in the future.
      • For now, this is also an array of strings.
      • And is usually written as char * envp[]
  • Change into Alice's pwnkit directory.
  • Look at the program args.cpp
    • Notice that it prints out both argc and the values of argv.
    • If you want, uncomment the last part of the code and it will print the environment as well.
    • Run this code several ways
      • ./args
      • ./args hello world
      • ./args 1 2 3 4 5 6 7
    • Play with this until you understand what is happening.
• To understand the next portions we need to understand two parts of the c interface to the kernel.
  • The system command allows a program to execute (or run) another program.
    • int system(const char * command);
    • Look at systemDemo.cpp in Alice's pwnkit directory.
      • Notice on the first line it runs the command hostname
        • This command just prints out the hostname of the machine.
        • Try it (hostname)
      • The second line runs two commands.
        • This is permitted. The semicolon (;) serves as a delimiter.
        • Again try it ( whoami; id)
      • Compile and run the systemDemo program
        • make
        • ./systemDemo
      • Convince yourself that it performs as expected.
      • Note, that when system completes, it returns control to the calling program.
    • The execve(char * fuilename, char * argv[], char * envp[])
      • This is another way to execute a program from c++ code.
      • This allows the programmer to specify the arguments and environment.
        • These are both usually in the form of an array of strings.
      • When excve runs, the calling program is replaced with the called program.
      • Take a look at execDemo.c
        • I switched to C just to make this easier to code.
        • But the code should be relatively clear.
        • This will run the args program from before.
        • With a set of arguments, and an environment.
        • Compile this and run it (make; ./execDemo)
        • Change the declaration of myArgs, recompile and run again.
      • Convince yourself that execDemo and execve does what you expect.