On Mon, 28 Jan 2002, Andrew Griffiths wrote:

> Program: User-mode-linux
> Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
> Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
>
> Now for something completely different. Anything in []'s is my comments to
> my article... deal with it.
> <snip>
>
> A user proccess can write into kernel memory, which will allow a person
> to get root inside the uml "box", and the possibility to break out of
> the uml "box", into the real one.
>
> This can happen even if the jail and honeypot options are turned on. [
> Though I suspect the version i was testing was half-way through
> implementing them ]

you're right about the "half-way through" bit. 2.4.17-9um is much better
in this respect.

the honeypot option explicitly *reduces* security:

/usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot
honeypot
    This makes UML put process stacks in the same location as they are
    on the host, allowing expoits such as stack smashes to work against
    UML.
/usr/src/uml/linux$ ./linux --version
2.4.16-2um

as of 2.4.17-9um, the "honeypot" option turns on the "jail" option; thus
the most secure setup is to run uml with "jail" and not "honeypot".

also, running uml itself within a chroot, as its own UID, and with no
capabilities, quite effectively limits the damage an attacker can do in
breaking the uml container. but you all knew that already.

-=:[ ajax (firest0rm)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]