Re: Escaping from a jail with root privileges on the host



On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote:
Hello,

Today I've managed to escape from a jail by accident and ended up with
root access to the host's filesystem.

Here's what I did:

* Using ezjail for managing my jails
* Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
* This works only when I use sudo, and cannot reproduce if I execute
everything as root

First, created a folder *inside* the jail and cd to it:

host$ sudo ezjail-admin console jail-test

jail-test# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

jail-test# mkdir ~/jail-folder
jail-test# cd ~/jail-folder

jail-test# pwd
/root/jail-folder

Then from the host machine I've moved this folder to the cwd.

host$ pwd
/usr/home/mra

host$ sudo mv /home/jails/jail-test/root/jail-folder .

And then here's where the jail ends up :)

jail-test# pwd
/usr/home/mra/jail-folder

> From here on the Jail's root user has full root privileges to the
host's filesystem.

Not sure if it is sudo or jail issue, and would be nice if someone
with more experience can check this up :)

This is not really "escaping".
It's more like "being sprung by your friends outside" since
it requires outside participation.
The jailed process cannot do it by itself.
Now what would be more interesting is if the jailed process can
make a new jail inside the old jail and then 'spring' the inmate there.
will that inmate be still inside the parent jail, or outside both jails?

Regards,
Marin


_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... One place I'd like to implement CPU affinity is in the Sun Grid Engine ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... The notion would be that you can create a new numbered cpuset with cpuset. ... You can modify or inspect its affinity with get/setaffinity above and the CPU_WHICH_SET argument. ... This set would not be modifiable by user processes or by processes in a jail. ... Another option would be to expel the offending thread from the set that is in violation and reparent it to the real system root along with a syslog message or similar. ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... be allocated a set of cpus that they can't change, ...
    (freebsd-arch)
  • Re: chroot versus jail for the name daemon
    ... > assuming named is running as user and group bind (rather than as root)? ... > 3) What happens if named is broken while in a jail, ... That means an attacker can set things up so ...
    (freebsd-questions)
  • Re: Escaping from a jail with root privileges on the host
    ... root access to the host's filesystem. ... created a folder *inside* the jail and cd to it: ... host$ sudo ezjail-admin console jail-test ... host$ pwd ...
    (freebsd-stable)