From owner-freebsd-security@FreeBSD.ORG  Fri May  6 16:16:54 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 30A7D106568D
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 16:16:54 +0000 (UTC) (envelope-from feld@feld.me)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 03B828FC16
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 16:16:53 +0000 (UTC)
Received: by iwn33 with SMTP id 33so3910125iwn.13
	for <freebsd-security@freebsd.org>;
	Fri, 06 May 2011 09:16:53 -0700 (PDT)
Received: by 10.231.202.132 with SMTP id fe4mr508569ibb.183.1304697243994;
	Fri, 06 May 2011 08:54:03 -0700 (PDT)
Received: from tech304 (supranet-tech.secure-on.net [66.170.8.18])
	by mx.google.com with ESMTPS id f28sm1385943ibh.67.2011.05.06.08.54.02
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 06 May 2011 08:54:02 -0700 (PDT)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: freebsd-security@freebsd.org
References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com>
Date: Fri, 06 May 2011 10:54:01 -0500
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Mark Felder" <feld@feld.me>
Message-ID: <op.vu2g4b0k34t2sn@tech304>
In-Reply-To: <4DC4102E.8000700@gmail.com>
User-Agent: Opera Mail/11.50 (FreeBSD)
Subject: Re: =?utf-8?q?Rooting_FreeBSD_=2C_Privilege_Escalation_using_Jail?=
 =?utf-8?b?cyAoUMOpdHVyKQ==?=
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2011 16:16:54 -0000

On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson  
<daniel.jacobsson.90@gmail.com> wrote:

> Can someone confirm if this bugg/exploit works?

It's really not a bug or exploit... it's just the guy being crafty. It  
only makes sense: the jails access the same filesystem as the host. Put a  
file setuid in the jail and use your user on the host to execute that file  
and voila, you're now running that executable as root.

Your users should NEVER have access to the host of the jail.