ENVIRONMENT VARS
these are additional ways or alternative methods users are able to provide input to a program specially in the context of buffer overflow vulnerabilities.
environment variables are publicly accessible variables in the OS that any software can interact with. environment variables control different aspect of the system
#WINDOWS
PS C:\> Get-ChildItem Env:
Name Value
---- -----
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\Users\1404260789.MIL\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
CommonProgramW6432 C:\Program Files\Common Files
COMPUTERNAME EISEW3U216NB102
ComSpec C:\WINDOWS\system32\cmd.exe
DEFLOGDIR C:\ProgramData\McAfee\Endpoint Security\Logs
DriverData C:\Windows\System32\Drivers\DriverData
EFC_3592 1
HOMEDRIVE C:
HOMEPATH \Users\1404260789.MIL
LOCALAPPDATA C:\Users\1404260789.MIL\AppData\Local
LOGONSERVER \\EISEW3U216NB102
NUMBER_OF_PROCESSORS 12
OneDrive C:\Users\1404260789.MIL\OneDrive - US Army
OneDriveCommercial C:\Users\1404260789.MIL\OneDrive - US Army
OS Windows_NT
Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPo...
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE AMD64
PROCESSOR_IDENTIFIER Intel64 Family 6 Model 186 Stepping 3, GenuineIntel
PROCESSOR_LEVEL 6
PROCESSOR_REVISION ba03
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
ProgramFiles(x86) C:\Program Files (x86)
ProgramW6432 C:\Program Files
PSModulePath C:\Users\1404260789.MIL\OneDrive - US Army\Documents\WindowsPowerShell\Modules;C:\Pro...
PUBLIC C:\Users\Public
SESSIONNAME Console
SystemDrive C:
SystemRoot C:\WINDOWS
TEMP C:\Users\140426~1.MIL\AppData\Local\Temp
TMP C:\Users\140426~1.MIL\AppData\Local\Temp
USERDNSDOMAIN ecuf.ds.deas.mil
USERDOMAIN ECUF
USERDOMAIN_ROAMINGPROFILE ECUF
USERNAME 1404260789.MIL
USERPROFILE C:\Users\1404260789.MIL
windir C:\WINDOWS
ZES_ENABLE_SYSMAN 1
#modification
#LINUX
remnux@remnux:~$ printenv
...
* display environment variables
remnux@remnux:~$ printenv HOME
/home/remnux
#source
remnux@remnux:~$ nano 31_env_var.c
#inclue <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void)
{
char buffer[20]; //create a 20 byte buffer to hold the contents of HOME
strcpy(buffer, getenv("HOME")); //get the HOME environment variable
printf("HOME = %s\n", buffer); //print out the value
}
* strcpy is a vulnerable function!
remnux@remnux:~$ gcc -g -m32 31_env_var.c -o 31_env_var.out
#
remnux@remnux:~$ ./31_env_var.out
HOME = /home/remnux
* this application has access to the publicly available system environment variables
- this means it may have a flaw!
#use WinDBG and Ghidra and GDB to disect the application
#01.identify any vulnerable functions
#tracking getenv() value
remnux@remnux:~$ ./31_env_var.out
HOME = /home/remnux
remnux@remnux:~$ SRE=AAAA
remnux@remnux:~$ export SRE
remnux@remnux:~$ printenv
...
SRE=AAAA
remnux@remnux:~$ printenv SRE
AAAA
#changing HOME env
remnux@remnux:~$ HOME=AAAABBBBCCCCDDDDEEEE
remnux@remnux:~$ printenv HOME
AAAABBBBCCCCDDDDEEEE
remnux@remnux:~$ ./31_env_var.out
HOME=AAAABBBBCCCCDDDDEEEE
Segmentation fault (core dumped)
remnux@remnux:~$ gdb ./31_env_var.out
gef> info func
File 31_env_var.c
7: int main(void);
Non-debugging symbols:
....
0x00001040 strcpy@plt //this is vulnerable function
0x00001050 getenv@plt //this accesses a publicly global variable which may be manipulated by red team
gef> b *main
gef> b *getenv
gef> r
* this runs the program and stops at the 1st breakpoint - main()
gef> d
* disassemble and identify and analyze the call (working backwards from the call up the stack frame)
a.identified 0x565561e0 <+39>: call 0x56556050 <getenv@plt>
b.identified 0x565561df <+38>: push eax
- getenv() takes in one parameter; the parameter is represented by push eax
- push eax must have the value of the environment variable
c.identified 0x565561d9 <+32>: lea eax, [ebx-0x1ff8]
- this is the starting address of where the value of the variable passed to getenv
#get the value of what was pushed into eax via the instruction "push eax"
#this is done by setting a breakpoint prior to the call to getenv() which is "push eax"
gef> d
...
0x565561d9 <+32>: lea eax, [ebx-0x1ff8]
0x565561df <+38>: push eax
0x565561e0 <+39>: call 0x56556050 <getenv@plt>
gef> b *0x565561df
gef> c
...
REGISTER SECTION
$eax : 0x56557008 -> "HOME" <----- this is the value that the address points to
* continuing execution will stop at the specified breakpoint right before the call to getenv
#verify
gef> x /s $eax
0x56557008: "HOME"
* this is how you track down the values of those environment variables
- is this also the way to get the value of the PIN CODES etc?
gef> clear
* this clears breakpoint 3#tracking strcpy() value
gef> d
...
0x565561eb <+50>: push eax //prof mentioned this is the value that is pushed into strcpy
//why this one & not the one below this?
0x565561ec <+51>: lea eax, [ebp-0x1c]
0x565561ef <+54>: push eax
0x565561f0 <+55>: call 0x56556040 <strcpy@plt>
#ghidra - prof said this should be easier than the ones above
ghidra> Symbol Tree
Search: getenv
* double-click on the "imports -> getenv" and follow the trail
if you are able to determine that an application has access to the environment variable, a red team can manipulate it
Last updated