About ELF and File Permission
ELF Fundamentals
ELF (Executable and Linking Format) is the Linux and unix executable file type. An ELF file consists of an ELF header and ELF data. It can be examined using the readelf command.
An ELF header contains important information for the OS on how to handle the file. Here are the most important parts of the header:
|t starts with the following hex sequence 7f 45 4c 46
« Class defines the target architecture
« Data refers to the type of endianness (little or big)
Type can be CORE (core dumps), DYN (shared objects), EXEC (executables) or REL (relocatable files).
Core dumps are products of memory corruption. They can be fed to gdb in order to examine crashed programs more accurately. We will use core dumps later on during exploit development.
Before we move on to the remaining three types, we need to first understand what linkers and loaders are.
Linkers are responsible for taking the names of functions and linking them to their actual locations in memory. During a call to a function, the linker is responsible for locating its memory address within a system library and then writing it to the process memory of the executable, so that the function can be accessed at that address. The task of a loader is to load programs from storage into memory.
If an executable requests to be loaded at a memory address that is already occupied, it needs to be relocated. Relocation simply means moving the module to another place in memory to avoid address collisions.
As this should be done in an organized manner, ELF files contain a .reloc section. Whenever the desired loading address is unavailable, the .reloc section is responsible for patching the program with new addresses. In order to be able to do that, relative addressing is used to describe the address of program functions.
Relative addressing describes a function address by the. offset from the loacing base address and not by the ful address.
For example, if th relative virtual address of a funcion is 0x123 and it progra i loaded at 0xB04000, the. function can be found at OxB04123.
Furthermore, executable files might also cotain symbols. Symbols are a description of the executable code and include, among others, function and variable names. During compilation, the creator of an executable may decide 1o tum off support for symbols.
‘Symbols make debugging a ot easier since many function ‘and variable names give a hint on what they are supposed o do; for example, finding functions named .getName()” or LprintName()” can save us from a fot of reverse engineering activities.
“The process of removing symbs from an ELF file is called stripping.
With some Linux executable handing concepts know explained, s o back 1o defning the remaining thres ELF file types.
EXEC (oxccutablos)
REL (relocatable fles)
DYN (shared objects)
Relocatable files are executables supporting the relocation process.
n cases of address conflct, they make use of reative. ‘addressing and change the address of their components. with a constant offset to their dynamic base address.
‘Shared Objects are libraries of functions. From a technical perspective, they contain sections typical for both ‘executable and relocatab fis. They can be often recognized by their 5o extension. Shared objects are loaded into a program that makes use. of them during startup. Sections are some standard places wihin an ELF file that play a certain role in s functionaliies. Upon startup, sections are mapped into the process memory. Mapping means storing them in the memory of a newly created process with respactto their size and contained data. Sections also have certain permissions - read, write and execute — none or al of them are theorefically possibie to be enabled for a section. According to Permissions, while @ program is running and data from a certain secton should be used, operations on thosa areas may or may not be restrcted. For example, i a section (basically a memory area) is read- only, the program wil not be able to writs new data to this “The most commons sections are: ~ data — Intial zed data with readhwrite access rights
_rodata - Initalized data with read only access righis.
bss — Uninialized data with read and wito access righs.
GOT & PLT
There are two sections that are very important for every executable:
.GOT (Global Offset Table) holds the addresses of functions. « .PLT (Procedure Linkage Table) holds the function stubs that point to the .GOT entry. As you can imagine, both (first the PLT and then the GOT) are used while a program attempts to locate and call a certain function. Note that a place in the program where function addresses are held will become more than useful during exploit development.
SUID & GUID
To conclude the ELF fles subject, et also cover SUID 1 fies. SUID fies are a type o ELF fle that s quile 3 interesting when i comes to exploitaion on Linux and 3 Unix i
SUID and SGID fles can bo distnguishad on Linuxas they have a lowercase <" n ther 3 securty descrir,
-rWSr-s--X |
13 SUID (Set User IDentficaton) or SGID (Set Group %
Dentiication) program is launched, s effective UID (or GID)
becomes the owner o e fie. 3
M you run a SUID roct progra, tis program rurs with oot | priviieges. i
Hyouna SGI praram, pogram s v prieges asif you were member of that group. 3
Evenif you run a program as root this doesntmeanthat ‘you elevated your privileges. The actions you might take as oo aremited by the program’sfunctonaites. 3
Aiso, a5 program s running as root, you camot altech b ot and change the execution flow manually, duefo lack of privileges. 3
However, ifthere is an expioitable flaw within a SUID root program and you manage to spawn a shell via expioiting that flaw,there s high ikeinood that that shellwil bea oot one. 3
I other words, SUID programs when exploited can § allow for privilege escalation. i
When performing post-expoitaion activiies on Linux systems, tis aways worth paying allention o the SUID and SGID files, as they can often be primitive binaries i prone to stack-based buffer overflow attacks. i
Last updated