Bugtraq mailing list archives
Re: user-mode-linux problems
From: Ajax <ajax () firest0rm org>
Date: Thu, 31 Jan 2002 09:13:25 -0600 (CST)
On Mon, 28 Jan 2002, Andrew Griffiths wrote:
Program: User-mode-linux Version tested: patch-2.4.17-8 [ I assume all previous versions would be ] Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.] Now for something completely different. Anything in []'s is my comments to my article... deal with it. <snip> A user proccess can write into kernel memory, which will allow a person to get root inside the uml "box", and the possibility to break out of the uml "box", into the real one. This can happen even if the jail and honeypot options are turned on. [ Though I suspect the version i was testing was half-way through implementing them ]
you're right about the "half-way through" bit. 2.4.17-9um is much better in this respect. the honeypot option explicitly *reduces* security: /usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot honeypot This makes UML put process stacks in the same location as they are on the host, allowing expoits such as stack smashes to work against UML. /usr/src/uml/linux$ ./linux --version 2.4.16-2um as of 2.4.17-9um, the "honeypot" option turns on the "jail" option; thus the most secure setup is to run uml with "jail" and not "honeypot". also, running uml itself within a chroot, as its own UID, and with no capabilities, quite effectively limits the damage an attacker can do in breaking the uml container. but you all knew that already. -=:[ ajax (firest0rm)
Current thread:
- user-mode-linux problems Andrew Griffiths (Jan 28)
- Re: user-mode-linux problems Ajax (Jan 31)