[24055] in bugtraq
Re: user-mode-linux problems
daemon@ATHENA.MIT.EDU (Ajax)
Thu Jan 31 15:36:43 2002
Date: Thu, 31 Jan 2002 09:13:25 -0600 (CST)
From: Ajax <ajax@firest0rm.org>
To: <bugtraq@securityfocus.com>
Cc: Andrew Griffiths <andrewg@tasmail.com>
In-Reply-To: <200201280216.g0S2GvH06047@franklin.nt.tas.gov.au>
Message-ID: <Pine.BSO.4.33.0201310847170.6711-100000@belial.firest0rm.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 28 Jan 2002, Andrew Griffiths wrote:
> Program: User-mode-linux
> Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
> Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
>
> Now for something completely different. Anything in []'s is my comments to
> my article... deal with it.
> <snip>
>
> A user proccess can write into kernel memory, which will allow a person
> to get root inside the uml "box", and the possibility to break out of
> the uml "box", into the real one.
>
> This can happen even if the jail and honeypot options are turned on. [
> Though I suspect the version i was testing was half-way through
> implementing them ]
you're right about the "half-way through" bit. 2.4.17-9um is much better
in this respect.
the honeypot option explicitly *reduces* security:
/usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot
honeypot
This makes UML put process stacks in the same location as they are
on the host, allowing expoits such as stack smashes to work against
UML.
/usr/src/uml/linux$ ./linux --version
2.4.16-2um
as of 2.4.17-9um, the "honeypot" option turns on the "jail" option; thus
the most secure setup is to run uml with "jail" and not "honeypot".
also, running uml itself within a chroot, as its own UID, and with no
capabilities, quite effectively limits the damage an attacker can do in
breaking the uml container. but you all knew that already.
-=:[ ajax (firest0rm)
