From owner-freebsd-security@FreeBSD.ORG Fri May 6 16:16:54 2011 Return-Path: <owner-freebsd-security@FreeBSD.ORG> Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30A7D106568D for <freebsd-security@freebsd.org>; Fri, 6 May 2011 16:16:54 +0000 (UTC) (envelope-from feld@feld.me) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 03B828FC16 for <freebsd-security@freebsd.org>; Fri, 6 May 2011 16:16:53 +0000 (UTC) Received: by iwn33 with SMTP id 33so3910125iwn.13 for <freebsd-security@freebsd.org>; Fri, 06 May 2011 09:16:53 -0700 (PDT) Received: by 10.231.202.132 with SMTP id fe4mr508569ibb.183.1304697243994; Fri, 06 May 2011 08:54:03 -0700 (PDT) Received: from tech304 (supranet-tech.secure-on.net [66.170.8.18]) by mx.google.com with ESMTPS id f28sm1385943ibh.67.2011.05.06.08.54.02 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 06 May 2011 08:54:02 -0700 (PDT) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-security@freebsd.org References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> Date: Fri, 06 May 2011 10:54:01 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" <feld@feld.me> Message-ID: <op.vu2g4b0k34t2sn@tech304> In-Reply-To: <4DC4102E.8000700@gmail.com> User-Agent: Opera Mail/11.50 (FreeBSD) Subject: Re: =?utf-8?q?Rooting_FreeBSD_=2C_Privilege_Escalation_using_Jail?= =?utf-8?b?cyAoUMOpdHVyKQ==?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security> List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 06 May 2011 16:16:54 -0000 On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson <daniel.jacobsson.90@gmail.com> wrote: > Can someone confirm if this bugg/exploit works? It's really not a bug or exploit... it's just the guy being crafty. It only makes sense: the jails access the same filesystem as the host. Put a file setuid in the jail and use your user on the host to execute that file and voila, you're now running that executable as root. Your users should NEVER have access to the host of the jail.