Real (U|G)ID vs Effective (U|G)ID

Background

In *nix systems the User Id Number (UID) and the Group Id Number (GID) are integers used for identifying uniquely users and groups.

Take a look at /etc/passwd and /etc/group files (follow the links for more details about these files):

simo@xps:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
simo:x:1000:1000:simo,,,:/home/simo:/bin/bas\h
debian-tor:x:121:133::/var/lib/tor:/bin/false

We can infer:

User UID GID (primary)
simo 1000 1000
debian-tor 121 133

Their counterparts in the group file:

simo@xps:~$ cat /etc/group
root:x:0:
[...]
simo:x:1000:
vboxusers:x:130:simo
debian-tor:x:133:

Moreover you can see that the user “simo” belong also to the “vboxusers” group.

Real (U|G)ID vs Effective (U|G)ID

Every running process has at least 4 ID numbers associated with it:

  • the Real UID (RUID) identifies the user who launched the process.
  • the Real GID (RGID) identifies the primary group of the user that launched the process.
  • the Effective UID (EUID) and the Effective GID (EGID) are used to determine what resources the process can access.

These information can be found programmatically:

simo@xps:~/example$ cat ids.c 
#include 
#include 
int main()
{
 uid_t real_uid = getuid();
 uid_t effect_uid = geteuid();
 gid_t real_gid = getgid();
 gid_t effect_gid = getegid();
 printf("ruid=%d euid=%d\n", real_uid, effect_uid);
 printf("rgid=%d egid=%d\n", real_gid, effect_gid);
}

Usually the various ID have the same value when you run a program, but sometimes happens that a computer system needs to run programs with temporarily elevated privileges in order to perform a specific task.

The setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.

The setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.

The s(u|g)id bit on executables only changes the E(U|G)ID the executable will run as, and not the real(U|G)ID.

Get my hands dirty for an example:

$ gcc -Wall ids.c -o example
$ sudo chown root.root example 
$ ls -l
total 16
-rw-rw-r-- 1 simo simo 294  gen 17 16:21 ids.c
-rwxrwxr-x 1 root root 8816 gen 17 16:28 example
$ ./example 
ruid=1000 euid=1000
rgid=1000 egid=1000
$ sudo chmod 6771 example 
$ ls -l
total 16
-rw-rw-r-- 1 simo simo 294 gen 17 16:21 ids.c
-rwsrws--x 1 root root 8816 gen 17 16:29 example
$ ./example 
ruid=1000 euid=0
rgid=1000 egid=0
  1. I compiled the example;
  2. I changed the owner and the group from “simo” to “root”;
  3. I ran the program and I got the same ids;
  4. I set the setuid and the setgid, look the red “s“;
  5. Ids changes accordingly!

Hint: in addition to the restriction on s(u|g)id interpreted scripts (any executable text file beginning with “#!”), some shells (like bash) as an extra safety measure will set the EUID back to the RUID; in this case, you will need to wrap the call to the script within a C program and setuid(…) before executing the script.

Setup a Linux ARM 32bit virtual machine

We will use QEMU, and if you are under a Debian based distro you can install it with:

sudo apt-get install qemu-system-arm

Download the following files from here:

  • debian_wheezy_armel_standard.qcow2
  • initrd.img-3.2.0-4-versatile
  • vmlinuz-3.2.0-4-versatile

In a nutshell, use this command:

qemu-system-arm -L Bios -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -m 256 -net nic -net user -redir tcp:2222::22

SSH is already installed, so you can reach the vm with:

ssh root@localhost -p 2222

With password “root”.

If you need a 64bit version I wrote another post.

 

How many bits are there in a Byte?

8. Yes, sometimes…

Whereas the bit is well defined:

  • A bit is the basic unit of information in computing and digital communications.
  • A bit can have only one of two values, and may therefore be physically implemented with a two-state device.
  • The values of a bit are most commonly represented as either a 0 or 1.

Instead the size of one Byte, as described in the Jargon file, is architecture-dependent and, more precisely, is a unit of memory or data equal to the amount used to represent one character. In the same link, or in the wiki page, is also explained that there were architecture with 6, 7, or 9 bits… or they operated on bit fields from 1 to 36!

Obviously is extremely convenient that, from the architecture/hardware prospective, a Byte is the smallest addressable unit of memory: for this reason every operation that involves data exchange between the CPU and the RAM is made with Byte sizes or its multiples (Word, Double Word and Quad Word).

We agree that the popularity of major commercial computing architectures has aided in the ubiquitous acceptance that a Byte is 8-bit size, but we must remember that it is only a standard (de facto).

You can see it by yourself. Compile and run this C code with gcc on your Linux machine:

#include<stdio.h>
#include<limits.h>

int main() {
    printf("%d Byte = %d bits\n", sizeof(char), __CHAR_BIT__);
    printf("%d Byte = %d bits\n", sizeof(int), sizeof(int)*__CHAR_BIT__);
    return 0;
}
/*
1 Byte = 8 bits
4 Byte = 32 bits
*/

More in depth we can see this program:

int main() {
    int n = 42;
    char buffer[64]; 
    return 0;
}

That become (compiled with gcc on a 32 bit machine without optimizations flags):

Dump of assembler code for function main:
0x08048394 <main+0>: push ebp
0x08048395 <main+1>: mov ebp,esp
0x08048397 <main+3>: sub esp,0x50
0x0804839a <main+6>: mov DWORD PTR [ebp-0x4],0x2a  ; 0x2a=42 
0x080483a1 <main+13>: mov eax,0x0
0x080483a6 <main+18>: leave 
0x080483a7 <main+19>: ret 
End of assembler dump.

It needs 4 Byte = 32 bit (Double Word) for the int and 64 Byte = 512 bit for the buffer, so the highlighted instruction means that the ESP is moved 0x50=80 addresses downwards.

0x10=16 addresses and 0x40=64 respectively.

But if  the smallest addressable unit of memory  (in this arch) is 8 bit this implies that for 32 bit we need also 4 addresses. So, why 16 addresses for an int? Alignment.

How to sniff HTTPS from Android app

Requirements

  1. Rooted device with ProxyDroid installed.
  2. “Computer” with Burp installed.

Let’s start

Launch Burp from your computer.

Proxy -> Options -> Proxy Listeners

Uncheck current “running” proxy, the Add a new Proxy Listener.

Choose:

  • Bind to port: 8080
  • Bind to address: All interfaces

Selection_010

From the button below, export CA certificate in DER format.

Now change the file extension into .cer and push it in a user-browsable folder on your device. E.g.: I connected the device to the computer and I used adb.

mv burpcert.der burpcert.cer
adb push burpcert.cer /sdcard/Download

While you’re there, take note of your ip address (in this example I’ll use 192.168.1.69).

Device configuration

Settings -> Security -> Install certificates from storage

Select the pushed .cer certificate (obviously), and give it a name.

You’ll be warned that your traffic  may be monitored (obviously).

Install ProxyDroid.

Configure:

  • Host: your pc address
  • Port: 8080
  • Proxy Type: HTTP (no HTTPS, I’m sure!)

I suggest to choose, under Feature Settings, the Individual Proxy configuration so that you can choose only the app of which do you want to sniff the traffic.

Enable Proxy Droid and enjoy.

Install tor on Ubuntu 15.10

From command line:

sudo gedit /etc/apt/sources.list.d/tor.list

in this file write those lines:

deb http://deb.torproject.org/torproject.org wily main
deb-src http://deb.torproject.org/torproject.org wily main

save, then run:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get install tor deb.torproject.org-keyring

Now you can find a folder named “tor-browser_en-US” in your home folder that contains the Tor Browser.

It comes with readily configured Tor and a browser patched for better anonymity.