From owner-freebsd-security Fri May 12 13:51:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id EDF9737B595 for ; Fri, 12 May 2000 13:51:10 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA28061; Fri, 12 May 2000 13:50:32 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28059; Fri May 12 13:50:29 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id NAA63043; Fri, 12 May 2000 13:50:29 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdu63033; Fri May 12 13:49:45 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4CKnjU42033; Fri, 12 May 2000 13:49:45 -0700 (PDT) Message-Id: <200005122049.e4CKnjU42033@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG42029; Fri May 12 13:49:04 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: "Patrick Bihan-Faou" Cc: "Cy Schubert - ITSD Open Systems Group" , freebsd-security@FreeBSD.ORG Subject: Re: envy.vuurwerk.nl daily run output In-reply-to: Your message of "Fri, 12 May 2000 11:46:41 EDT." <0e8c01bfbc29$4432e390$040aa8c0@local.mindstep.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 May 2000 13:49:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <0e8c01bfbc29$4432e390$040aa8c0@local.mindstep.com>, "Patrick Bihan- Faou" writes: > Hi, > > > I was about to comment that anyone with root can break out of any > > chrooted environment including jail, however testing the break out of > > jail exploit (good thing I tested before I spoke), which BTW worked on > > FreeBSD-3 and numerous other platforms including Linux, Solaris, and > > Tru64-UNIX, appears to no longer work under 4.0 -- which is a good > > thing! When did the FreeBSD chroot(2) get fixed? > > > > Once again FreeBSD leads the way. > > > > Following is the break-out-of-jail code. > > I just tested the exploit code on a 3.4 system and a 4.0 system and my > results are: > > - if I run the program as root, then programs runs properly: starts SH in / > - if I run the program as !root, then the program fails to chroot to back to > / (I guess this is the expected behaviour). > > > For info: > > The FreeBSD 3.x machine: > > FreeBSD jacuzzi.local.mindstep.com 3.4-STABLE FreeBSD 3.4-STABLE #8: Thu Apr > 27 00:13:41 EDT 2000 > patrick@jacuzzi.local.mindstep.com:/usr/src/sys/compile/JACUZZI i386 > > > The FreeBSD 4.0 machine: > > FreeBSD nitro 4.0-STABLE FreeBSD 4.0-STABLE #3: Fri Apr 21 15:10:09 EDT 2000 > patrick@nitro:/usr/src/sys/compile/NITRO i386 > > > So my question is: is the exploit really fixed ? Or is it normal for root to > be able to break loose from chroot ? I've been, as root, able to break out of jail with the posted code on FreeBSD-3.3, RH 5.2 & 6.0, Solaris 2.6, and Tru64-UNIX 4.0D. I've, as root, not been able to break out of jail on 4.0-STABLE as of April 22, hence suspected that FreeBSD plugged this hole. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message