On Wed, 18 Apr 2001, Bill Sommerfeld wrote: > seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555); > chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--) > chdir(".."); > chroot(".."); execve("/bin//sh", ..); > > For the record, I blocked this way of breaking out of chroot in NetBSD > in 1999; the fix is present in NetBSD 1.4 and later releases. I'm > surprised that this hasn't been picked up by more distributions. I expect many many other people are going to reply to this, but here goes.. Trying to stop root breaking out of a chroot() environment tends to be an exercise in futility. For every escape route you block, a clever attacker is likely to think up two more. Are you claiming root cannot escape a chroot() jail in NetBSD? If not, you've increased the complexity of your kernel for little real-world gain. An attacker will know when they are targetting NetBSD, and simply modify the shellcode to escape the chroot() in some different manner. If you _are_ claiming root cannot escape the jail, then how thorough have you been? Have you taken care of - ptrace() syscall - mknod of /dev/kmem - mknod of /dev/some_hard_drive - attaching to IPC primitives - kernel module loading (if NetBSD has the concept) - games with mount(), in particular /proc - iopl() - if NetBSD has it - kill() of a sensitive daemon followed by bind() and then password theft - use of a raw network socket to abuse a trust relationship - etc. etc. Cheers Chris
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 12:19:57 PDT