Re: user-mode-linux problems

From: Ajax (ajax@firest0rm.org)
Date: 01/31/02

Previous message: David LeBlanc: "RE: Long path exploit on NTFS"
In reply to: Andrew Griffiths: "user-mode-linux problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 31 Jan 2002 09:13:25 -0600 (CST)
From: Ajax <ajax@firest0rm.org>
To: <bugtraq@securityfocus.com>

On Mon, 28 Jan 2002, Andrew Griffiths wrote:

> Program: User-mode-linux
> Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
> Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
>
> Now for something completely different. Anything in []'s is my comments to
> my article... deal with it.
> <snip>
>
> A user proccess can write into kernel memory, which will allow a person
> to get root inside the uml "box", and the possibility to break out of
> the uml "box", into the real one.
>
> This can happen even if the jail and honeypot options are turned on. [
> Though I suspect the version i was testing was half-way through
> implementing them ]

you're right about the "half-way through" bit. 2.4.17-9um is much better
in this respect.

the honeypot option explicitly *reduces* security:

/usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot
honeypot
    This makes UML put process stacks in the same location as they are
    on the host, allowing expoits such as stack smashes to work against
    UML.
/usr/src/uml/linux$ ./linux --version
2.4.16-2um

as of 2.4.17-9um, the "honeypot" option turns on the "jail" option; thus
the most secure setup is to run uml with "jail" and not "honeypot".

also, running uml itself within a chroot, as its own UID, and with no
capabilities, quite effectively limits the damage an attacker can do in
breaking the uml container. but you all knew that already.

-=:[ ajax (firest0rm)

Previous message: David LeBlanc: "RE: Long path exploit on NTFS"
In reply to: Andrew Griffiths: "user-mode-linux problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re[2]: FreeBSD on Xserve?
... >> If original author wants to mature OS with MAC and SMP support SELinux ... Linux does not have jails. ... but AFAIK UML is not same thing as jail. ...
(freebsd-hackers)
Re: [patch] let CONFIG_SECCOMP default to n
... Note that UML had a security weakness already that allowed to escape ... I'm a big fun of UML and other userland virtualization project, ... as a jail myself for CPUShare. ...
(Linux-Kernel)
Re: FreeBSD on Xserve?
... but AFAIK UML is not same thing as jail. ... UML (User Mode Linux, user-mode-linux.sf.net) is a port of Linux kernel ...
(freebsd-hackers)