On Wed, 18 Apr 2001, Bill Sommerfeld wrote:
> seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
> chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
> chdir("..");
> chroot(".."); execve("/bin//sh", ..);
>
> For the record, I blocked this way of breaking out of chroot in NetBSD
> in 1999; the fix is present in NetBSD 1.4 and later releases. I'm
> surprised that this hasn't been picked up by more distributions.
I expect many many other people are going to reply to this, but here
goes..
Trying to stop root breaking out of a chroot() environment tends to be an
exercise in futility. For every escape route you block, a clever attacker
is likely to think up two more.
Are you claiming root cannot escape a chroot() jail in NetBSD? If not,
you've increased the complexity of your kernel for little real-world gain.
An attacker will know when they are targetting NetBSD, and simply modify
the shellcode to escape the chroot() in some different manner.
If you _are_ claiming root cannot escape the jail, then how thorough have
you been? Have you taken care of
- ptrace() syscall
- mknod of /dev/kmem
- mknod of /dev/some_hard_drive
- attaching to IPC primitives
- kernel module loading (if NetBSD has the concept)
- games with mount(), in particular /proc
- iopl() - if NetBSD has it
- kill() of a sensitive daemon followed by bind() and then password theft
- use of a raw network socket to abuse a trust relationship
- etc. etc.
Cheers
Chris
