SlideShare une entreprise Scribd logo

Chw00t: Breaking unices’ chroot solutions

Positive Hack Days
Positive Hack Days

Chw00t: Breaking unices’ chroot solutions

Technologie
1  sur  37
Télécharger pour lire hors ligne
Chw00t: Breaking unices’ chroot solutions Balázs Bucsay - Бaлaж Бучaи OSCE, OSCP, GIAC GPEN, OSWP http://rycon.hu/ @xoreipeip
Bio / Balazs Bucsay • Hungarian Hacker • Strictly technical certificates: OSCE, OSCP, OSWP and GIAC GPEN • Currently working for a large telecommunication company • Started with ring0 debuggers and disassemblers in 2000 (13 years old) • Major project in 2009: GI John a distributed password cracker • Webpage: http://rycon.hu • Twitter: @xoreipeip • Linkedin: http://www.linkedin.com/in/bucsayb
Chroot’s brief history • Introduced in Version 7 Unix - 1979 • Implemented in BSD - 1982 • Hardened version was implemented in FreeBSD - 2000 • Virtuozzo (OpenVZ) containers - 2000 • Chroot on Steroids: Solaris container - 2005 • LXC: Linux Containers - 2008
What is Chroot? • A privileged system call on Unix systems • Changes the dedicated root vnode of a process (all children inherit this) • Some OS stores chroots in linked lists • Prevents access to outside of the new root • Requires root: prevents crafted chroots for privilege escalation
What’s this used for? • Testing environments • Dependency control • Compatibility • Recovery • Privilege separation??
Requirements for reasonable chroot • All directories must be root:root owned • Superuser process cannot be run in chroot • Distinct and unique user (uid, gid) has to be used • No sensitive files (or files at all) can be modified or created
Requirements for reasonable chroot • Close all file descriptors before chrooting • chdir before chroot • /proc should not be mounted • + Use /var/empty for empty environment
Chroot scenarios Shell access: • SSH access to a chrooted environment • Chrooted Apache running with mod_cgi/mod_php/… • Exploiting a vulnerable chrooted app Only filesystem access: • Chrooted SCP/FTP access
Breakage techniques mostly summarised • Get root (not all techniques need it) • Get access to a directory’s file descriptor outside of the chroot • Find original root • Chroot into that • Escaped • Only a few OS stores chroots in linked lists, if you can break out of one, you broke out all of them
Example structure
Breakage techniques: kernel exploit/module 
 Not going to talk about this #root: MIGHT needed
Breakage techniques: misconfigurations • Hard to recognise and exploit • Wrong permissions on files or directories • Dynamic loading of shared libraries • Hardlinked suid/sgid binaries using chrooted shared libraries • For example: • /etc/passwd ; /etc/shadow • /lib/libpam.so.0 - used by /bin/su • These can be used to run code as root #root: NOT needed
Breakage techniques: classic • Oldest and most trivial • mkdir(d); chroot(d); cd ../../../; chroot(.) • chroot syscall does not chdir into the directory, stays outside #root: needed
Example structure
Breakage techniques: classic+fd saving • Based on the classic • Saving the file descriptor of CWD before chroot • mkdir(d); n=open(.); chroot(d); fchdir(n); cd ../../../../; chroot(.) • Some OS might changing the CWD to the chrooted one #root: needed
Example structure
Breakage techniques: Unix Domain Sockets • UDS are similar to Internet sockets • File descriptors can be passed thru • Creating secondary chroot and passing outside fd thru • Or using outside help (not really realistic) • Abstract UDS does not require filesystem access #root: needed
Example structure
Breakage techniques: mount() • Mounting root device into a directory • Chrooting into that directory • Linux is not restrictive on mounting #root: needed
Breakage techniques: /proc • Mounting procfs into a directory • Looking for a pid that has a different root/cwd entry • for example: /proc/1/root • chroot into that entry #root: needed
Breakage techniques: move-out-of-chroot • The reason why I started to work on this • Creating chroot and a directory in it • Use the directory for CWD • Move the directory out of the chroot #root: MIGHT needed
Example structure
Breakage techniques: ptrace() • System call to observe other processes • Root can attach to any processes • User can attach to same uid processes (when euid=uid) • Change original code and run shellcode #root: NOT needed
DEMO
Results Debian 7.8;2.6.32/ Kali 3.12 Ubuntu 14.04.1;3.13.0 -32-generic DragonFlyBS D 4.0.5 x86_64 FreeBSD 10.- RELEASE amd64 NetBSD 6.1.4 amd64 OpenBSD 5.5 amd64 Solaris 5.11 11.1 i386 Mac OS X Classic YES YES DoS NO NO NO YES YES Classic FD YES YES NO NO NO NO YES YES Unix Domain Sockets YES YES DoS PARTIALLY NO PARTIALLY YES YES Mount YES YES NO NO NO NO NO NO /proc YES YES NO NO NO NO YES NO move-out-of-chroot YES YES DoS PARTIALLY NO YES YES YES Ptrace YES PARTIALLY NO? YES NO YES N/A N/A
Results (FreeBSD jail) FreeBSD 10.- RELEASE amd64 FreeBSD Jail 10.- RELEASE amd64 Classic NO NO Classic FD NO NO Unix Domain Sockets PARTIALLY PARTIALLY Mount NO NO /proc NO NO move-out-of-chroot PARTIALLY PARTIALLY Ptrace YES NO
If you want me to release this tool
Filesystem access only • Move-out-of-chroot still works on FTP/SCP • Privilege escalation is possible on misconfigured environment • Shell can be popped by replacing or placing shared libraries/malicious files in chroot
Linux Containers • Privileged container (no user namespaces) can create nested containers • Host container has access to guest container’s filesystem • Based on the move-out-of-chroot technique, real host’s file system is accessible
DEMO 2
Future work • Testing new UNIX operating systems (eg. AIX, HP-UX) • Looking for other techniques • Improving code and Ptrace technique
Future work
Greetz to: • My girlfriend and family • Wolphie and Solar Designer for mentoring • Spender and Kristof Feiszt for reviewing
References • http://www.bpfh.net/simes/computing/chroot-break.html • http://www.unixwiz.net/techtips/chroot-practices.html • http://linux-vserver.org/Secure_chroot_Barrier • http://phrack.org/issues/59/12.html • http://lwn.net/Articles/421933/ • https://securityblog.redhat.com/2013/03/27/is-chroot-a-security- feature/ • http://www.lorien.ch/images/chroot.gif
http://rycon.hu https://github.com/earthquake @xoreipeip Thank you ! Q&A

Recommandé

Chw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsChw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutions
Balazs Bucsay
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on Windows
Carl Su
 
Embedded Linux Odp
Embedded Linux OdpEmbedded Linux Odp
Embedded Linux Odp
ghessler
 
Rootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based RootkitRootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based Rootkit
Chia-Hao Tsai
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?
Hideki Yamane
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 

Recommandé

Chw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsChw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutions
Balazs Bucsay
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on Windows
Carl Su
 
Embedded Linux Odp
Embedded Linux OdpEmbedded Linux Odp
Embedded Linux Odp
ghessler
 
Rootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based RootkitRootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based Rootkit
Chia-Hao Tsai
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?
Hideki Yamane
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using Buildroot
Anne Nicolas
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup
晓东 杜
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
Jeff Beley
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrix
Sherif Mousa
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
Kernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional bootKernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional boot
Anne Nicolas
 
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & WindowsEasy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
haroonm
 
Ha opensuse
Ha opensuseHa opensuse
Ha opensuse
Kenny (netman)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
Enrico Scapin
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
Adam Compton
 
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generatorKernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Anne Nicolas
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
NetBSD workshop
NetBSD workshopNetBSD workshop
NetBSD workshop
Jun Ebihara
 
NetBSDworkshop
NetBSDworkshopNetBSDworkshop
NetBSDworkshop
Jun Ebihara
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
Anthony Jose
 
Dockerの準備
Dockerの準備Dockerの準備
Dockerの準備
koedoyoshida
 
Arch linux
Arch linuxArch linux
Arch linux
Martin Laporga
 
Containers Through the Ages - SysEleven
Containers Through the Ages - SysElevenContainers Through the Ages - SysEleven
Containers Through the Ages - SysEleven
Johann Paulus Almeida
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016
Walid Shaari
 

Contenu connexe

Tendances

linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrix
Sherif Mousa
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
Enrico Scapin
 
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generatorKernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Anne Nicolas
 

Tendances (20)

Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using Buildroot
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrix
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Kernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional bootKernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional boot
 
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & WindowsEasy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
 
Ha opensuse
Ha opensuseHa opensuse
Ha opensuse
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
 
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generatorKernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
Kernel Recipes 2013 - Crosstool-NG, a cross-toolchain generator
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
NetBSD workshop
NetBSD workshopNetBSD workshop
NetBSD workshop
 
NetBSDworkshop
NetBSDworkshopNetBSDworkshop
NetBSDworkshop
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
 
Dockerの準備
Dockerの準備Dockerの準備
Dockerの準備
 
Arch linux
Arch linuxArch linux
Arch linux
 

En vedette

Container port forecasts
Container port forecastsContainer port forecasts
Container port forecasts
Tristan Wiggill
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Jim Yeh
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 

En vedette (20)

Containers Through the Ages - SysEleven
Containers Through the Ages - SysElevenContainers Through the Ages - SysEleven
Containers Through the Ages - SysEleven
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016
 
Container port forecasts
Container port forecastsContainer port forecasts
Container port forecasts
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Containers technologies
Containers technologiesContainers technologies
Containers technologies
 
Lessons learned in reaching multi-host container networking
Lessons learned in reaching multi-host container networkingLessons learned in reaching multi-host container networking
Lessons learned in reaching multi-host container networking
 
Criação de ambientes em chroot
Criação de ambientes em chrootCriação de ambientes em chroot
Criação de ambientes em chroot
 
Namespace
NamespaceNamespace
Namespace
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
Container orchestration
Container orchestrationContainer orchestration
Container orchestration
 
LSA2 - 02 chrooting
LSA2 - 02 chrootingLSA2 - 02 chrooting
LSA2 - 02 chrooting
 
Understand how docker works
Understand how docker worksUnderstand how docker works
Understand how docker works
 
LXD: The hypervisor that isn't
LXD: The hypervisor that isn'tLXD: The hypervisor that isn't
LXD: The hypervisor that isn't
 
Hypervisor "versus" Linux Containers with Docker !
Hypervisor "versus" Linux Containers with Docker !Hypervisor "versus" Linux Containers with Docker !
Hypervisor "versus" Linux Containers with Docker !
 
LSA2 - 01 Virtualization with KVM
LSA2 - 01 Virtualization with KVMLSA2 - 01 Virtualization with KVM
LSA2 - 01 Virtualization with KVM
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Lxd the proper way of runing containers
Lxd the proper way of runing containersLxd the proper way of runing containers
Lxd the proper way of runing containers
 
LXD Container Hypervisor
LXD Container HypervisorLXD Container Hypervisor
LXD Container Hypervisor
 

Similaire à Chw00t: Breaking unices’ chroot solutions

Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFs
Docker, Inc.
 

Similaire à Chw00t: Breaking unices’ chroot solutions (20)

Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFs
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docking postgres
Docking postgresDocking postgres
Docking postgres
 
Central Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdownCentral Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdown
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on Docker
 
Intro To Gentoo Embedded Cclug
Intro To Gentoo Embedded CclugIntro To Gentoo Embedded Cclug
Intro To Gentoo Embedded Cclug
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
 

Plus de Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Chw00t: Breaking unices’ chroot solutions

  • 1. Chw00t: Breaking unices’ chroot solutions Balázs Bucsay - Бaлaж Бучaи OSCE, OSCP, GIAC GPEN, OSWP http://rycon.hu/ @xoreipeip
  • 2. Bio / Balazs Bucsay • Hungarian Hacker • Strictly technical certificates: OSCE, OSCP, OSWP and GIAC GPEN • Currently working for a large telecommunication company • Started with ring0 debuggers and disassemblers in 2000 (13 years old) • Major project in 2009: GI John a distributed password cracker • Webpage: http://rycon.hu • Twitter: @xoreipeip • Linkedin: http://www.linkedin.com/in/bucsayb
  • 3. Chroot’s brief history • Introduced in Version 7 Unix - 1979 • Implemented in BSD - 1982 • Hardened version was implemented in FreeBSD - 2000 • Virtuozzo (OpenVZ) containers - 2000 • Chroot on Steroids: Solaris container - 2005 • LXC: Linux Containers - 2008
  • 4. What is Chroot? • A privileged system call on Unix systems • Changes the dedicated root vnode of a process (all children inherit this) • Some OS stores chroots in linked lists • Prevents access to outside of the new root • Requires root: prevents crafted chroots for privilege escalation
  • 5. What’s this used for? • Testing environments • Dependency control • Compatibility • Recovery • Privilege separation??
  • 6.
  • 7.
  • 8. Requirements for reasonable chroot • All directories must be root:root owned • Superuser process cannot be run in chroot • Distinct and unique user (uid, gid) has to be used • No sensitive files (or files at all) can be modified or created
  • 9. Requirements for reasonable chroot • Close all file descriptors before chrooting • chdir before chroot • /proc should not be mounted • + Use /var/empty for empty environment
  • 10. Chroot scenarios Shell access: • SSH access to a chrooted environment • Chrooted Apache running with mod_cgi/mod_php/… • Exploiting a vulnerable chrooted app Only filesystem access: • Chrooted SCP/FTP access
  • 11. Breakage techniques mostly summarised • Get root (not all techniques need it) • Get access to a directory’s file descriptor outside of the chroot • Find original root • Chroot into that • Escaped • Only a few OS stores chroots in linked lists, if you can break out of one, you broke out all of them
  • 13. Breakage techniques: kernel exploit/module 
 Not going to talk about this #root: MIGHT needed
  • 14. Breakage techniques: misconfigurations • Hard to recognise and exploit • Wrong permissions on files or directories • Dynamic loading of shared libraries • Hardlinked suid/sgid binaries using chrooted shared libraries • For example: • /etc/passwd ; /etc/shadow • /lib/libpam.so.0 - used by /bin/su • These can be used to run code as root #root: NOT needed
  • 15. Breakage techniques: classic • Oldest and most trivial • mkdir(d); chroot(d); cd ../../../; chroot(.) • chroot syscall does not chdir into the directory, stays outside #root: needed
  • 17. Breakage techniques: classic+fd saving • Based on the classic • Saving the file descriptor of CWD before chroot • mkdir(d); n=open(.); chroot(d); fchdir(n); cd ../../../../; chroot(.) • Some OS might changing the CWD to the chrooted one #root: needed
  • 19. Breakage techniques: Unix Domain Sockets • UDS are similar to Internet sockets • File descriptors can be passed thru • Creating secondary chroot and passing outside fd thru • Or using outside help (not really realistic) • Abstract UDS does not require filesystem access #root: needed
  • 21. Breakage techniques: mount() • Mounting root device into a directory • Chrooting into that directory • Linux is not restrictive on mounting #root: needed
  • 22. Breakage techniques: /proc • Mounting procfs into a directory • Looking for a pid that has a different root/cwd entry • for example: /proc/1/root • chroot into that entry #root: needed
  • 23. Breakage techniques: move-out-of-chroot • The reason why I started to work on this • Creating chroot and a directory in it • Use the directory for CWD • Move the directory out of the chroot #root: MIGHT needed
  • 25. Breakage techniques: ptrace() • System call to observe other processes • Root can attach to any processes • User can attach to same uid processes (when euid=uid) • Change original code and run shellcode #root: NOT needed
  • 26. DEMO
  • 27. Results Debian 7.8;2.6.32/ Kali 3.12 Ubuntu 14.04.1;3.13.0 -32-generic DragonFlyBS D 4.0.5 x86_64 FreeBSD 10.- RELEASE amd64 NetBSD 6.1.4 amd64 OpenBSD 5.5 amd64 Solaris 5.11 11.1 i386 Mac OS X Classic YES YES DoS NO NO NO YES YES Classic FD YES YES NO NO NO NO YES YES Unix Domain Sockets YES YES DoS PARTIALLY NO PARTIALLY YES YES Mount YES YES NO NO NO NO NO NO /proc YES YES NO NO NO NO YES NO move-out-of-chroot YES YES DoS PARTIALLY NO YES YES YES Ptrace YES PARTIALLY NO? YES NO YES N/A N/A
  • 28. Results (FreeBSD jail) FreeBSD 10.- RELEASE amd64 FreeBSD Jail 10.- RELEASE amd64 Classic NO NO Classic FD NO NO Unix Domain Sockets PARTIALLY PARTIALLY Mount NO NO /proc NO NO move-out-of-chroot PARTIALLY PARTIALLY Ptrace YES NO
  • 29. If you want me to release this tool
  • 30. Filesystem access only • Move-out-of-chroot still works on FTP/SCP • Privilege escalation is possible on misconfigured environment • Shell can be popped by replacing or placing shared libraries/malicious files in chroot
  • 31. Linux Containers • Privileged container (no user namespaces) can create nested containers • Host container has access to guest container’s filesystem • Based on the move-out-of-chroot technique, real host’s file system is accessible
  • 33. Future work • Testing new UNIX operating systems (eg. AIX, HP-UX) • Looking for other techniques • Improving code and Ptrace technique
  • 35. Greetz to: • My girlfriend and family • Wolphie and Solar Designer for mentoring • Spender and Kristof Feiszt for reviewing
  • 36. References • http://www.bpfh.net/simes/computing/chroot-break.html • http://www.unixwiz.net/techtips/chroot-practices.html • http://linux-vserver.org/Secure_chroot_Barrier • http://phrack.org/issues/59/12.html • http://lwn.net/Articles/421933/ • https://securityblog.redhat.com/2013/03/27/is-chroot-a-security- feature/ • http://www.lorien.ch/images/chroot.gif