Site Navigation

Date:      Thu, 6 Mar 2014 01:55:11 -0500
From:      Jason Hellenthal <jhellenthal@dataix.net>
To:        "d@delphij.net" <d@delphij.net>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "freebsd-gnats-submit@FreeBSD.org" <freebsd-gnats-submit@FreeBSD.org>, "secteam@FreeBSD.org" <secteam@FreeBSD.org>, "jamie@FreeBSD.org" <jamie@FreeBSD.org>, Nicola Galante <galante@veritas.sao.arizona.edu>
Subject:   Re: misc/187307: Security vulnerability with FreeBSD Jail
Message-ID:  <0E7A07FB-FE42-41BE-9FE2-36558C421411@dataix.net>
In-Reply-To: <5317B597.5050900@delphij.net>
References:  <201403052307.s25N7NoD045308@cgiserv.freebsd.org> <5317B597.5050900@delphij.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
I would also add  . . . separate ssh keys and passwords if the user needs access to both host and jailed systems. This is just common practice and not a security flaw by any means but an engineering oversight.

Popsicle sticks also have a security flaw, they let you jab yourself in the throat if you fall while sucking on them. Solution . . . sit down.

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

> On Mar 5, 2014, at 18:39, Xin Li <delphij@delphij.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
>> On 03/05/14 15:07, Nicola Galante wrote:
>> I found a potential vulnerability with FreeBSD jails. I installed a
>> server (hostserver) for my institute. This hostserver has a certain
>> IP address, let's say 10.0.0.100, and I installed and configured
>> three service jails (elog, mail, www), each with a different IP
>> address (10.0.0.101, 10.0.0.102, 10.0.0.103)
>> 
>> root@hostserver:/jails/j # jls JID  IP Address      Hostname
>> Path 1  10.0.0.101      elogjail                  /jails/j/elog 2
>> 10.0.0.102      mailjail                  /jails/j/mail 3
>> 10.0.0.103      wwwjail                   /jails/j/www
>> 
>> I have an account on both the hostserver and the elogjail. Password
>> authentication on hostserver and ssh key authentication in the
>> jail. The service sshd is running on both the hostserver and
>> elogjail. If I ssh into the elogjail
>> 
>> [galante@caronte ~]$ ssh galante@elogjail Enter passphrase for key
>> '/home/galante/.ssh/id_dsa': Last login: Wed Mar  5 21:37:23 2014
>> from caronte galante@elogjail:~ %
>> 
>> as expected. But if I turn off the sshd service in elogjail (and
>> keep the elogjail up and running) and I try to connect to elogjail,
>> I first get a complaint that the fingerprint for the RSA key sent
>> by the remote host has changed. If I remove the corresponding line
>> in my local .ssh/known_hosts file and try to reconnect, this is
>> what happens:
>> 
>> [galante@caronte ~]$ ssh galante@elogjail Password for
>> galante@hostserver: Last login: Wed Mar  5 21:12:20 2014 from
>> caronte galante@hostserver:~ %
>> 
>> I log into the host system! Of course this is possible because I
>> have an account on both the host system and the jail. However, I
>> believe that this can cause a serious potential security threat. I
>> can envision several scenarios where somebody attempts to get into
>> a jail and instead gets into the host system. I checked also the
>> DNS responsiveness. The problem persists even if I use IP addresses
>> instead of host names.
>>> How-To-Repeat:
>> Follow the steps described above.
>>> Fix:
>> I don't know how to fix the problem other than by disabling sshd in
>> the hostserver.
> 
> I don't think this is a security issue and close this as invalid,
> however I'm bringing secteam@ and jamie@ in, just to make sure I
> didn't understood the problem wrong.
> 
> The first thing is let's confirm that I'm understanding your question
> correctly.  What happens is that:
> 
> a) you have account on *both* jail and host system.
> b) you attempted to log in into jail's IP, which is also bound to host
> system;
> c) your configuration didn't explicitly specify SSH's listening
> address on host, so it's a wildcard (Listen 22 instead of Listen
> hostip:22, where you can see in sockstat -4l as *:22 for sshd).
> 
> and
> 
> d) when jail is shut down, when you connect to the jail's IP, you
> connected into the host.
> 
> This is NOT a problem with jail.  For starters, it's very bad idea to
> give out host shell account, privileged or not, to jail users if they
> are not trusted.  Let's consider this scenario:
> 
> jail$ su -l
> jail# cp /usr/bin/less /bin/root_shell
> jail# chown root:wheel /bin/root_shell
> jail# chmod 6555 /bin/root_shell
> jail# logout
> jail$ logout
> 
> Then, you basically have a setuid binary that can be reached from host
> system.  As an attacker I would do:
> 
> host$ /path/to/jail/bin/root_shell
> #
> 
> So the solution would be to change your configuration such that:
> 
> 1) Do not give shell access to jail users unless they are also host
> system administrator.
> 
> 2) Do not make host's sshd to listen on all addresses, instead, only
> listen to the designated host IP address.  This is not a security
> measure but avoids confusion.
> 
> Cheers,
> - -- 
> Xin LI <delphij@delphij.net>    https://www.delphij.net/
> FreeBSD - The Power to Serve!           Live free or die
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (FreeBSD)
> 
> iQIcBAEBCgAGBQJTF7WXAAoJEJW2GBstM+ns/dMP/2MdcY2FbXR7nl5cc5NL6Xyi
> O87+Eee5QbJ4pRP/CdvTD4OivHi8BecS9egQDhtRuIvv6XtHWCD26KPuMUYgZd4U
> 8min9L/kfFLwlBIuH9CKGR0iRzXDGY99NpRVpwSJBPxSeJrUZZzCMdoCwEQPvhkQ
> S4TNv9+qiXmqDAwJbcTFDUfhqc9FPuaLfdn/6+Cbi3MEAhJjaAuuvbZeUvhKLi/n
> xavs3e9tqcy3i3D6dJvSuOvDibBbrLpamch23VeyOMTZ78ahOKLa5dDAfkFJgx+g
> JicfTcdcSiPEutPenJo1bWUn5DbW1+aoNL+acBLty9Q0iknn8dcSG6PWDHnz3pmq
> +hE8lOq+7HGkVoqIGtDULlPy2eEeM6WwjUj4wcAQI7PfStkTc7eqJooj76mMmPg7
> CKF0yaqAG/57Qys4G6eVRxW8sAV33k8gaeTjjrRX6tFYZvZElSZ57shxZPinxzQe
> XAAyq2E1gkxKnnvFZGEJSv4kmyE0u4jJAGW17N3x04R/VjPgtdBKZ4YeG3HoHdh3
> vJ9LBUuZvx3zy0bVslJFKTNQq3tvCWhOkf4dITHKm2JBpaeo9VwGs50yUKYg/3NB
> //NDUnQCF9rpoqU40w9JKEOiWO+nZLUzdXLerI8TccU15Mz0dpo+06oC6e72DVtG
> aUQS8DKHmWB9SwgXX02d
> =ky3s
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��90�00��
��0
	*�H��


0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
130518085048Z
140519220947Z0H10Ujhellenthal@dataix.net1%0#	*�H��

	
jhellenthal@dataix.net0�
"0
	*�H��



�
0�

�

�'`T�mfkܨJ5�u+c�'�U�p�b����`��zv�)&ȸX�Z*V��N�6�Jv�LoV�o�h�}�g�
p�QDŽKf/�tZ�A�˳(���"4Ԅ��˻�'�d2h|��IB�l�'���^v�^��;'��e8�S��9�9���ۿVm|k8_UQ��t�C�"5�l��!kjZ]އQGn����\��B�Ž�h�!FT�sD�%���pV^�E��ӑ
d¨x͸"�9
г"����
����f�

���0��0	U00U�0U%0+
+
0U�ڔ�fm��V�ʢ�$䟓�0U#0�Sr풜���
\|~�5N�ԸQ�0!U0�jhellenthal@dataix.net0�
LU �
C0�
?0�
;+

��7
0�
*0.+

"http://www.startssl.com/policy.pdf0��+
0��0' StartCom Certification Authority0

��This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+�)�'�%http://crl.startssl.com/crtu1-crl.crl0��+


��009+
0
�-http://ocsp.startssl.com/sub/class1/client/ca0B+
0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��


�

{0���Ӹ,52��W{��E�y�8�b�[���{��7��_�+��P�"��n�[���"-�,��@Žp��J��-W��$ݍ�jWA��-6���z��(	���RdIZ�.����Kz�X�є[�K6}{�s+v.�Q��h�0���P�ͅK��h�Tw0I�7�3l��z*�Kv��4Kkگ��6�3;�p1:ױ����@)����]o�k>:W�%Xw�C1þL�/�o8���~#�oP�0�40��

0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0�
"0
	*�H��



�
0�

�

�	���-��)�.����2����A�UG��o��#G�
�B|N�D�����Rp�M-��B��=o���-�we�5��J�Qpa>O��.�#������.���_�<���V��
[~�*��*�p�z��~�3�W�G�.ᘟ����Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c�gk��v$����Lb�%�������y��`�����_�{`���xK'G�N��

��
�0�
�0U

�0

�0U

�
0USr풜���
\|~�5N�ԸQ�0U#0�N��@[�i�0�4hC�A��0f+


Z0X0'+
0
�http://ocsp.startssl.com/ca0-+
0�!http://www.startssl.com/sfsca.crt0[UT0R0'�%�#�!http://www.startssl.com/sfsca.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0��U y0w0u+

��7

0f0.+

"http://www.startssl.com/policy.pdf04+

(http://www.startssl.com/intermediate.pdf0
	*�H��


�

�}x�,\�c�^��#wM�q�}��>UK/��^y��X֏y	����f�rMIŲ�B6�1ymQ󸟆�ҨݬZ���0���&��;�@��#13qۑ��&	��̢����
��o�	6�r��_��;�GO>*I�(	7�4���XS1r3��)!�LJ�y��6Ko����tˆ#
_�w�S�r���
�;�B
A�Dp�(f��s�������䰷6%�����.W0J3�:b�C�<�8t X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1��5���zU��P)��(���I��j��VB��!����OfI=b
��b�\4�-*em��/нSJm�7���N�����[�]'��@ڽ��D9�Kr>���R��7/��|�o���^I@�ټ'��Pa$ z��9�a'L�)��(�
�I��}v��c�H]�۸�D����*�W�}
m�>Q����|�C.�(,�l��Q�0��0���


0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
060917194636Z
360917194636Z0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0�"0
	*�H��



�0�
�
���	�lF|x��{�3��rb��6 "$^��w�C
�d�̎6�8�#�nm�<�r����=�3+�/���AYg��}
�t��yL�7z�9RY��FC�҅���q�ub4�,����4�ǖ�R=�3��M�;JK��&/��r5w�<]���&�6v\
�t%������x�-�0
-ry�F�*�����I�����
�
�cS�b�:̵f��kt�+�v>�m��D�sb;ľ�SV%lQ	���ʿv�m��ۿ=f�V���H�:KߧXP�8u�[�C����lMp[)e�ݪ]̯
1��ҍ��{�n�'fH�nB�?�!>{�
p�c��lT�\%zɢɋ��,~^MXn
�
�2�����n��6I�Hi�–M�i�
���y"H��{i�p��z7��
�vOW��������`�g:�����ԋr"�Ɵ���������ƶ�\R<��*s

�`�z/�ۣn�&0���݉W��=��+ŷv��+��*r��3�]	K߻�tRK

��R0�N0U0

�0U
�0UN��@[�i�0�4hC�A��0dU]0[0,�*�(�&http://cert.startcom.org/sfsca-crl.crl0+�)�'�%http://crl.startcom.org/sfsca-crl.crl0�
]U �
T0�
P0�
L+

��7


0�
;0/+

#http://cert.startcom.org/policy.pdf05+

)http://cert.startcom.org/intermediate.pdf0��+
0��0' Start Commercial (StartCom) Ltd.0

��Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0	`�H
��B

08	`�H
��B

+)StartCom Free SSL Certification Authority0
	*�H��


�
l��f4�Ѕ^}
��N8^ߦ%K�2��;�=�D	[I�)�f����%�	<���6�+K�h�9f=�&��9�Q��{~��Z��Wpi��^X�
ߌ�E8
^W�b�z�����)����n(�DÐ�8�<�CMdE��(�\�s{�諱�.\dns1:����}��Q�;���M�f{<�Ӛ��eP���u�/���C��i��y�C�Fr�d6��%8��w~�kj���DK�x����,KD�4R'�
]�����x�S2݀�fuٵh(�a.���8����gd�./�p�ǖ|�e��CT�ݥ�9�`�4ɖp,��H{�~k����";���*���R��KU�����"��4N&"��,uJ��}׸d�6��/��#	��;sI�jW����xřCc�M�w-�e�riG	�
V$��y�X.��	
~��m>��J9��+���u���	�U7��7�Cb ��VKe��l�$�$�4���"��}?�eQ
�0j���
�r��^1�o0�k

0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
140306065513Z0#	*�H��

	1�����$)%�Pe���Yn[0��	+

�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0��*�H��

	1�����0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0
	*�H��



�
		~�6�i��UՑ��w}��d�\ŷ
EB�"HK8��U�T��߹����1��L�JO����o�9W��_]�M�ږAK���4֟Gj������0ܑ�J��o��]z�a�{�Đ�Q�mR"wj���%�����N��1�t�P�%�t���
��\<��Ă�t�]���.Մ�N��P9B���8۔՟����z&�3�Ԅ��Nr�ty�QY���mS�㎫�s��L�e�%���5�t}��g�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0E7A07FB-FE42-41BE-9FE2-36558C421411>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact