chw00t: how to break out from various chroot solutions · chw00t: how to break out from various...
TRANSCRIPT
![Page 1: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/1.jpg)
Chw00t: How to break out from various chroot solutions
Balázs Bucsay OSCE, OSCP, GIAC GPEN, OSWP
http://rycon.hu/ - https://www.mrg-effitas.com/ @xoreipeip
![Page 2: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/2.jpg)
Bio / Balazs Bucsay• Hungarian Hacker
• Strictly technical certificates: OSCE, OSCP, OSWP and GIAC GPEN
• Works for MRG Effitas - research, AV/endpoint security product tests
• Started with ring0 debuggers and disassemblers in 2000 (13 years old)
• Major project in 2009: GI John a distributed password cracker
• Presentations around the world (Atlanta, Moscow, London, Oslo)
• Webpage: http://rycon.hu
• Twitter: @xoreipeip
• Linkedin: http://www.linkedin.com/in/bucsayb
![Page 3: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/3.jpg)
Chroot’s brief history
• Introduced in Version 7 Unix - 1979
• Inherited from V7 UNIX to BSD - 1982
• Hardened version was implemented in FreeBSD - 2000
• Virtuozzo (OpenVZ) containers - 2000
• Chroot on Steroids: Solaris container - 2005
• LXC: Linux Containers - 2008
![Page 4: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/4.jpg)
What is Chroot?
• A privileged system call on Unix systems
• Changes the dedicated root vnode of a process (all children inherit this)
• Some OS stores chroots in linked lists
• Prevents access to outside of the new root
• Requires root: prevents crafted chroots for privilege escalation
![Page 5: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/5.jpg)
What’s this used for?
• Testing environments
• Dependency control
• Compatibility
• Recovery
• Privilege separation??
![Page 6: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/6.jpg)
![Page 7: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/7.jpg)
![Page 8: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/8.jpg)
Requirements for reasonable chroot
• All directories must be root:root owned
• Superuser process cannot be run in chroot
• Distinct and unique user (uid, gid) has to be used
• No sensitive files (or files at all) can be modified or created
![Page 9: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/9.jpg)
Requirements for reasonable chroot
• Close all file descriptors before chrooting
• chdir before chroot
• /proc should not be mounted
• + Use /var/empty for empty environment
![Page 10: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/10.jpg)
Chroot scenarios
Shell access:
• SSH access to a chrooted environment
• Chrooted Apache running with mod_cgi/mod_php/…
• Exploiting a vulnerable chrooted app
Only filesystem access:
• Chrooted SCP/FTP access
![Page 11: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/11.jpg)
Breakage techniques mostly summarised
• Get root (not all techniques need it)
• Get access to a directory’s file descriptor outside of the chroot
• Find original root
• Chroot into that
• Escaped
• Only a few OS stores chroots in linked lists, if you can break out of one, you broke out all of them
![Page 12: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/12.jpg)
Example structureOriginal root
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 13: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/13.jpg)
Example structureNew root (chrooted once)
/chroot
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 14: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/14.jpg)
Example structureNew root (chrooted twice)
/chroot2
etc home usr
user7
bin
user6
![Page 15: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/15.jpg)
Breakage techniques: kernel exploit/module
Not going to talk about this
#root: MIGHT needed
![Page 16: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/16.jpg)
Breakage techniques: misconfigurations
• Hard to recognise and exploit
• Wrong permissions on files or directories
• Dynamic loading of shared libraries
• Hardlinked suid/sgid binaries using chrooted shared libraries
• For example:
• /etc/passwd ; /etc/shadow
• /lib/libpam.so.0 - used by /bin/su
• These can be used to run code as root
#root: NOT
needed
![Page 17: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/17.jpg)
Breakage techniques: classic
• Oldest and most trivial
• mkdir(d); chroot(d); cd ../../../; chroot(.)
• chroot syscall does not chdir into the directory, stays outside
#root: needed
![Page 18: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/18.jpg)
Root and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4user3 user5
![Page 19: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/19.jpg)
Root barrier and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5
![Page 20: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/20.jpg)
Root barrier and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5
![Page 21: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/21.jpg)
Breakage techniques: classic+fd saving
• Based on the classic
• Saving the file descriptor of CWD before chroot
• mkdir(d); n=open(.); chroot(d); fchdir(n); cd ../../../../; chroot(.)
• Some OS might change the CWD to the chrooted one
#root: needed
![Page 22: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/22.jpg)
Root, CWD and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4user3 user5
![Page 23: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/23.jpg)
Root barrier and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5
![Page 24: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/24.jpg)
Root barrier and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5
![Page 25: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/25.jpg)
Breakage techniques: Unix Domain Sockets
• UDS are similar to Internet sockets
• File descriptors can be passed thru
• Creating secondary chroot and passing outside fd thru
• Or using outside help (not really realistic)
• Abstract UDS does not require filesystem access
#root: needed
![Page 26: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/26.jpg)
Root(0) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 27: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/27.jpg)
Root barrier(1) parent forks
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 28: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/28.jpg)
Root barrier(2) forked child
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 29: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/29.jpg)
Root barrier(1) and FD (UDS)
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 30: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/30.jpg)
Child Root barrier(2) and FD (UDS)
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 31: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/31.jpg)
Child Root barrier(2) and FD (UDS)
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 32: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/32.jpg)
Breakage techniques: mount()
• Mounting root device into a directory
• Chrooting into that directory
• Linux is not restrictive on mounting
#root: needed
![Page 33: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/33.jpg)
Breakage techniques: /proc
• Mounting procfs into a directory
• Looking for a pid that has a different root/cwd entry
• for example: /proc/1/root
• chroot into that entry
#root: needed
![Page 34: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/34.jpg)
Breakage techniques: move-out-of-chroot
• The reason why I started to work on this
• Creating chroot and a directory in it
• Use the directory for CWD
• Move the directory out of the chroot
#root: MIGHT needed
![Page 35: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/35.jpg)
Root(0) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 36: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/36.jpg)
Root barrier(1) parent forks
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6
![Page 37: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/37.jpg)
Root barrier(2) forked child
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 38: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/38.jpg)
Root barrier(2) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 39: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/39.jpg)
Root barrier(2) and user7 moved out
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 40: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/40.jpg)
Root barrier(2) and user7 moved out
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6
![Page 41: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/41.jpg)
Breakage techniques: ptrace()
• System call to observe other processes
• Root can attach to any processes
• User can attach to same uid processes (when euid=uid)
• Change original code and run shellcode
#root: NOT
needed
![Page 42: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/42.jpg)
Question
Tell me a service that is usually chrooted
![Page 43: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/43.jpg)
DEMO
![Page 44: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/44.jpg)
ResultsDebian 7.8;2.6.32/Kali 3.12
Ubuntu 14.04.1;3.13.0-32-generic
DragonFlyBSD 4.0.5 x86_64
FreeBSD 10.-RELEASE amd64
NetBSD 6.1.4 amd64
OpenBSD 5.5 amd64 Solaris 5.11 11.1 i386
Mac OS X
Classic YES YES DoS NO NO NO YES YES
Classic FD YES YES NO NO NO NO YES YES
Unix Domain Sockets YES YES DoS PARTIALLY NO PARTIALLY? YES YES
/proc YES YES NO NO NO NO YES NO
Mount YES YES NO NO NO NO NO NO
move out of chroot YES YES DoS PARTIALLY NO YES YES YES
Ptrace YES PARTIALLY NO? YES NO YES N/A N/A
![Page 45: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/45.jpg)
Results (FreeBSD jail)
FreeBSD 10. -RELEASE amd64
FreeBSD 10. Jail -RELEASE amd64
Classic NO NO
Classic FD NO NO
Unix Domain Sockets PARTIALLY PARTIALLY
Mount NO NO
/proc NO NO
move-out-of-chroot PARTIALLY PARTIALLY
Ptrace YES NO
![Page 46: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/46.jpg)
Filesystem access only
• Move-out-of-chroot still works on FTP/SCP
• Privilege escalation is possible on misconfigured environment
• Shell can be popped by replacing or placing shared libraries/malicious files in chroot
![Page 47: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/47.jpg)
Linux Containers
• Privileged container (no user namespaces) can create nested containers
• Host container has access to guest container’s filesystem
• Based on the move-out-of-chroot technique, real host’s file system is accessible
![Page 48: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/48.jpg)
DEMO 2
![Page 50: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/50.jpg)
Future work
• Testing new UNIX operating systems (eg. AIX, HP-UX)
• Looking for other techniques
![Page 51: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/51.jpg)
Future work
![Page 52: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/52.jpg)
Greetz to:
• My girlfriend and family
• Wolphie and Solar Designer for mentoring
• Spender and Kristof Feiszt for reviewing
![Page 53: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/53.jpg)
References• http://www.bpfh.net/simes/computing/chroot-break.html
• http://www.unixwiz.net/techtips/chroot-practices.html
• http://linux-vserver.org/Secure_chroot_Barrier
• http://phrack.org/issues/59/12.html
• http://lwn.net/Articles/421933/
• https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/
![Page 54: Chw00t: How to break out from various chroot solutions · Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP, GIAC GPEN, ... • Strictly technical certificates:](https://reader031.vdocuments.mx/reader031/viewer/2022013015/5b7fa5b47f8b9ad9778c64f2/html5/thumbnails/54.jpg)
http://rycon.hu - https://www.mrg-effitas.com/ https://github.com/earthquake
@xoreipeip
Thank you !
Q&A