[20319] in bugtraq
Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)
daemon@ATHENA.MIT.EDU (Chris Evans)
Thu Apr 19 15:10:20 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0104182215060.19920-100000@ferret.lmh.ox.ac.uk>
Date: Wed, 18 Apr 2001 22:35:46 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
X-To: Bill Sommerfeld <sommerfeld@ORCHARD.ARLINGTON.MA.US>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104181401.f3IE1tP03684@syn.hamachi.org>
On Wed, 18 Apr 2001, Bill Sommerfeld wrote:
> seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
> chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
> chdir("..");
> chroot(".."); execve("/bin//sh", ..);
>
> For the record, I blocked this way of breaking out of chroot in NetBSD
> in 1999; the fix is present in NetBSD 1.4 and later releases. I'm
> surprised that this hasn't been picked up by more distributions.
I expect many many other people are going to reply to this, but here
goes..
Trying to stop root breaking out of a chroot() environment tends to be an
exercise in futility. For every escape route you block, a clever attacker
is likely to think up two more.
Are you claiming root cannot escape a chroot() jail in NetBSD? If not,
you've increased the complexity of your kernel for little real-world gain.
An attacker will know when they are targetting NetBSD, and simply modify
the shellcode to escape the chroot() in some different manner.
If you _are_ claiming root cannot escape the jail, then how thorough have
you been? Have you taken care of
- ptrace() syscall
- mknod of /dev/kmem
- mknod of /dev/some_hard_drive
- attaching to IPC primitives
- kernel module loading (if NetBSD has the concept)
- games with mount(), in particular /proc
- iopl() - if NetBSD has it
- kill() of a sensitive daemon followed by bind() and then password theft
- use of a raw network socket to abuse a trust relationship
- etc. etc.
Cheers
Chris
