One of the main goals of a hacker is to break a system. Now the most popular system we know is Unix, the base of Linux, iOS, Android, and so on. So, when I say Unix, I'm saying it in a generic sense in and around that family of systems. I want to tell you about an attack that sort of worked in the 90s. It's a way of kind of getting access to the kernel, to the underlying system of Unix. This is going to be a little tricky for you to follow. I'm going to take you through in stages. And we've got some material, you can look at the charts and they might help you a little bit. But I wanted to try and follow as I take you through this attack. Now here's the key, this attack involves features that seem fine on their own but when you combine them, it causes a problem. Let us take the first one. In Unix, you're doing something called CLI, or command line interface, where you're typing commands. Instead of pointing and clicking, you're typing, which means you're typing letters, spaces, arguments, spaces, and so on. Those spaces are called whitespace and they separate a command from its argument. Like, if you're typing add space X space plus space Y, the spaces separate the different fields in the command line interface. That makes sense? So Unix, weirdly enough, in addition to just the space and say, a tab, that's what you would guess, you could put anything you want in there. Now, in Unix there's a thing called the pathname where you have a slash character, a word, a slash character, a word, and so on. And the first slash we call in Unix, root. Now, here's the first piece of the attack. Take the slash and define that also as a whitespace. It's a simple command in Unix. It's called the internal field separator. It's a variable. You just say, that internal field separator is both space tab and slash. Got it? That's stage one. Easy to understand. You could say, why would you want to do that? Unix designers were weird. They just like to give you the option of having weird command line interface. Now, the second feature that we're going to use in the attack is something called setuid-to-root. Now, this is a feature in Unix that allows a program running with low privilege, to suddenly jump up to get high privilege to do something, and then drop back down to low. So, for example, if we're on a shared system and I said, "Can you touch the password file and you are a normal user?" You'd say, "No I can't change the password file." But if I said, "Can you change your password?" You'd go, "Yes, I can change mine. I have a command I can change my own password." I'd say, "Great". Then, what that means is you're going to invoke a password program as a normal user, it's going to run when it has to go change a password file, setuid-to-root change the password file with high privilege, and then execute. Got that? So setuid allows a program to increase its privilege. Now, the third feature of Unix is that it's open source. That means you can read the code, go on read what's going on. So go find some program that runs setuid-to-root and find some piece of code that runs at high privilege. So, for example, if there's a piece of code that runs with high privilege in a setuid program that does exec space /file/ something like a pathname, then notice that that's there. That's the third stage. Just write it down, see what that piece of code is. Now, a fourth piece of this, is that in the Unix shell, you can put commands in and run it as a program. So I can create a program called steel shell and put commands in. So what I'm going to do, is I'm going to put a little program in, put it in my home directory that's going to copy the Unix shell to some other name. Now you should know that in Unix, the shell is my view of the operating system, it's SH, it's the name of the command, name of the program. So I'm going to copy my view of SH to some other name. Call it hack shell. Now, let's go through this. First, thing I do, make IFS include slash. Got it? Next thing, I have in my home directory that program that copies the shell to some other name. Now, third I run the setuid program. And what's going to happen? It runs, increases privilege, does the exact space slash. And then there's a name, let's say, that's called BIN. You know that program that's in my home directory? Call that BIN. And, now what will happen, is it's going to execute BIN with high privilege and it will copy the shell to you. Is that crazy? Let me go through that one more time with you because it's amazing how they all come together. I put a program in my home directory called BIN, that program copies the shell to a hacked shell. I changed the field separator to basically dissolve the slash character, it looks like a space now, I run a setuid program. It increases the high privilege, it exacts but ignores the slash, runs something that says BIN thinking that's part of a path -- I've dissolved all the path separators -- and it's going to copy a shell to me. Now that's tricky. Listen, it's not important for quizzes or anything for you to memorize those steps. If you didn't understand that, I don't want you to freak out. Most people have a little trouble with that. But I wanted you to see that this can get a little complicated. That hacking is not simple but, when I explain it to you, it's totally simple. You got it? You need somebody who can really dig into the internals and create a hack. But once it's created, once it's automated, I could write the program I just told you. And mail it to you. And you run it. And, now, you're a hacker. You didn't have to do the design. But I wanted you to see something that was a little bit more involved. If you're interested, it's very easy on the internet to go out and find different types of resources, different types of information around hacking. Be very careful with that though, I don't want any of you downloading hacking tools and actually doing this sort of thing to real networks. But it's certainly worth taking some time to go review. And, as part of the work here, we'll make sure that you see some good solid resources on all of these different things that will help you in your personal learning plan. So thanks.
