|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Greg A. Woods (woods
weird.com)Date: Fri Jul 13 2001 - 17:50:11 CDT
[ On Saturday, July 14, 2001 at 07:02:54 (+1000), matthew green wrote: ]
> Subject: re: i386 IO access and chroot()
>
> With == 2 it is difficult.
>
> this case is much more interesting. i don't believe's possible.
If I'm not mistaken there are already some papers suggesting methods...
Indeed many of the existing methods I've seen documented are blocked by
preventing all new mounts when securelevel>=2.....
However I don't think mknod(2) is disabled at securelevel>=2 yet, and it
probably should be, though you can work around that by putting the
chroot jail on a filesystem mounted with 'nodev' (and maybe 'nosuid'
too!).
I think there could still be holes in lesser used facilities like /proc,
so leaving it mounted in view of the chroot area may be a mistake...
Various device drivers may have issues, so if there are any device nodes
visible in the chroot area.... ('nodev' and/or no mknod()....)
If there are any more buffer-overflow style vulnerabilities in the
kernel then that's another potential avenue of escape.....
I don't know if anyone's explored the possibilities of (ab)using
networking services from within the chroot jail yet either....
-- Greg A. Woods+1 416 218-0098 VE3TCP <gwoods
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]