About this list Date view Thread view Subject view Author view Attachment view

From: Nick Craig-Wood (ncw1_at_axis.demon.co.uk)
Date: Wed 06 Feb 2002 - 20:35:35 GMT

On Wed, Feb 06, 2002 at 02:46:10PM +1100, edward_at_paradigm4.com.au wrote:
> It is my understanding that all the considered chroot exploits ( we
> are not talking about using devices and mounting tricks as this
> capability is disabled in vserver ) are based on either using file
> handle that was open before the first chroot, or the current
> directory from before the first chroot.
> Unless I'm missing something, the solution is simple - do not leave
> any file handles open when you do chroot and do chdir("/")
> immediately after. Problem solved.

I'm afraid not.

I wrote a proof of concept exploit which will break any chroot
provided the user that runs it has CAP_CHROOT. I'll email the exploit
to you if you want.

> > Once the chroot is done, you are free to do chdir (".."). Since
> > the test is perform only if the current directory == the process
> > root directory, chdir("..") works and let you out of the original
> > vserver root directory.
> If you did chdir("/") after the first chroot, subsequent chroot and
> chdir("..") will not get you out.

Unfortunately it will. Assume you've done all your chrooting magic.
Now cd / (in the chroot). Chroot into /tmp. Your current working
directory is now above your root directory. You can now cd .. with
impunity and when you've got where you want to be, chroot ".".

Nick Craig-Wood

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:39 GMT by hypermail 2.1.3