chw00t how to break out from various chroot solutions
play

Chw00t: How to break out from various chroot solutions Balzs Bucsay - PowerPoint PPT Presentation

Nov 18, 2022 •17 likes •557 views

Chw00t: How to break out from various chroot solutions Balzs Bucsay OSCE, OSCP , GIAC GPEN, OSWP http://rycon.hu/ - https://www.mrg-effitas.com/ @xoreipeip Bio / Balazs Bucsay Hungarian Hacker Strictly technical certificates: OSCE,

  1. Chw00t: How to break out from various chroot solutions Balázs Bucsay OSCE, OSCP , GIAC GPEN, OSWP http://rycon.hu/ - https://www.mrg-effitas.com/ @xoreipeip

  2. Bio / Balazs Bucsay • Hungarian Hacker • Strictly technical certificates: OSCE, OSCP , OSWP and GIAC GPEN • Works for MRG Effitas - research, AV/endpoint security product tests • Started with ring0 debuggers and disassemblers in 2000 (13 years old) • Major project in 2009: GI John a distributed password cracker • Presentations around the world (Atlanta, Moscow, London, Oslo) • Webpage: http://rycon.hu • Twitter: @xoreipeip • Linkedin: http://www.linkedin.com/in/bucsayb

  3. Chroot’s brief history • Introduced in Version 7 Unix - 1979 • Inherited from V7 UNIX to BSD - 1982 • Hardened version was implemented in FreeBSD - 2000 • Virtuozzo (OpenVZ) containers - 2000 • Chroot on Steroids: Solaris container - 2005 • LXC: Linux Containers - 2008

  4. What is Chroot? • A privileged system call on Unix systems • Changes the dedicated root vnode of a process (all children inherit this) • Some OS stores chroots in linked lists • Prevents access to outside of the new root • Requires root: prevents crafted chroots for privilege escalation

  5. What’s this used for? • Testing environments • Dependency control • Compatibility • Recovery • Privilege separation??

  8. Requirements for reasonable chroot • All directories must be root:root owned • Superuser process cannot be run in chroot • Distinct and unique user (uid, gid) has to be used • No sensitive files (or files at all) can be modified or created

  9. Requirements for reasonable chroot • Close all file descriptors before chrooting • chdir before chroot • /proc should not be mounted • + Use /var/empty for empty environment

  10. Chroot scenarios Shell access: • SSH access to a chrooted environment • Chrooted Apache running with mod_cgi/mod_php/… • Exploiting a vulnerable chrooted app Only filesystem access: • Chrooted SCP/FTP access

  11. Breakage techniques mostly summarised • Get root (not all techniques need it) • Get access to a directory’s file descriptor outside of the chroot • Find original root • Chroot into that • Escaped • Only a few OS stores chroots in linked lists, if you can break out of one, you broke out all of them

  12. / bin etc home usr chroot user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Example structure 
 Original root

  13. /chroot bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Example structure 
 New root (chrooted once)

  14. /chroot2 bin etc home usr user6 user7 Example structure 
 New root (chrooted twice)

  15. 
 Breakage techniques: #root: MIGHT kernel exploit/module needed Not going to talk about this

  16. Breakage techniques: #root: NOT misconfigurations needed • Hard to recognise and exploit • Wrong permissions on files or directories • Dynamic loading of shared libraries • Hardlinked suid/sgid binaries using chrooted shared libraries • For example: • /etc/passwd ; /etc/shadow • /lib/libpam.so.0 - used by /bin/su • These can be used to run code as root

  17. Breakage techniques: #root: classic needed • Oldest and most trivial • mkdir(d); chroot(d); cd ../../../; chroot(.) • chroot syscall does not chdir into the directory, stays outside

  18. / bin etc home usr / user1 user2 bin etc home usr user3 user4 user5 Root and CWD

  19. / bin etc home usr / user1 user2 bin etc home usr / user4 user5 Root barrier and CWD

  20. / bin etc home usr / user1 user2 bin etc home usr / user4 user5 Root barrier and CWD

  21. Breakage techniques: #root: classic+fd saving needed • Based on the classic • Saving the file descriptor of CWD before chroot • mkdir(d); n=open(.); chroot(d); fchdir(n); cd ../../../../; chroot(.) • Some OS might change the CWD to the chrooted one

  22. / bin etc home usr / user1 user2 bin etc home usr user3 user4 user5 Root, CWD and saved fd

  23. / bin etc home usr / user1 user2 bin etc home usr / user4 user5 Root barrier and saved fd

  24. / bin etc home usr / user1 user2 bin etc home usr / user4 user5 Root barrier and saved fd

  25. Breakage techniques: #root: Unix Domain Sockets needed • UDS are similar to Internet sockets • File descriptors can be passed thru • Creating secondary chroot and passing outside fd thru • Or using outside help (not really realistic) • Abstract UDS does not require filesystem access

  26. / bin etc home usr chroot user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Root(0) and CWD

  27. / bin etc home usr / user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Root barrier(1) parent forks

  28. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 bin etc home usr user6 user7 Root barrier(2) forked child

  29. / bin etc home usr / user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Root barrier(1) and FD (UDS)

  30. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 bin etc home usr user6 user7 Child Root barrier(2) and FD (UDS)

  31. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 bin etc home usr user6 user7 Child Root barrier(2) and FD (UDS)

  32. Breakage techniques: #root: mount() needed • Mounting root device into a directory • Chrooting into that directory • Linux is not restrictive on mounting

  33. Breakage techniques: #root: /proc needed • Mounting procfs into a directory • Looking for a pid that has a different root/cwd entry • for example: /proc/1/root • chroot into that entry

  34. Breakage techniques: #root: MIGHT move-out-of-chroot needed • The reason why I started to work on this • Creating chroot and a directory in it • Use the directory for CWD • Move the directory out of the chroot

  35. / bin etc home usr chroot user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Root(0) and CWD

  36. / bin etc home usr / user1 user2 bin etc home usr chroot2 user3 user4 user5 bin etc home usr user6 user7 Root barrier(1) parent forks

  37. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 bin etc home usr user6 user7 Root barrier(2) forked child

  38. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 bin etc home usr user6 user7 Root barrier(2) and CWD

  39. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 user7 bin etc home usr user6 Root barrier(2) and user7 moved out

  40. / bin etc home usr chroot user1 user2 bin etc home usr / user3 user4 user5 user7 bin etc home usr user6 Root barrier(2) and user7 moved out

  41. Breakage techniques: #root: NOT ptrace() needed • System call to observe other processes • Root can attach to any processes • User can attach to same uid processes (when euid=uid) • Change original code and run shellcode

  42. Question Tell me a service that is usually chrooted

  43. DEMO

  44. Results Debian 7.8;2.6.32/Kali Ubuntu DragonFlyBSD FreeBSD 10.- NetBSD 6.1.4 OpenBSD 5.5 amd64 Solaris 5.11 11.1 Mac OS X 3.12 14.04.1;3.13.0-32- 4.0.5 x86_64 RELEASE amd64 amd64 i386 generic Classic YES YES DoS NO NO NO YES YES Classic FD YES YES NO NO NO NO YES YES Unix Domain Sockets YES YES DoS PARTIALLY NO PARTIALLY? YES YES /proc YES YES NO NO NO NO YES NO Mount YES YES NO NO NO NO NO NO move out of chroot YES YES DoS PARTIALLY NO YES YES YES Ptrace YES PARTIALLY NO? YES NO YES N/A N/A

  45. Results (FreeBSD jail) FreeBSD 10. - FreeBSD 10. Jail - RELEASE amd64 RELEASE amd64 Classic NO NO Classic FD NO NO Unix Domain Sockets PARTIALLY PARTIALLY Mount NO NO /proc NO NO move-out-of-chroot PARTIALLY PARTIALLY Ptrace YES NO

  46. Filesystem access only • Move-out-of-chroot still works on FTP/SCP • Privilege escalation is possible on misconfigured environment • Shell can be popped by replacing or placing shared libraries/malicious files in chroot

  47. Linux Containers • Privileged container (no user namespaces) can create nested containers • Host container has access to guest container’s filesystem • Based on the move-out-of-chroot technique, real host’s file system is accessible

  48. DEMO 2

  49. Tool https://www.github.com/earthquake/chw00t/

  50. Future work • Testing new UNIX operating systems (eg. AIX, HP-UX) • Looking for other techniques

  51. Future work

  52. Greetz to: • My girlfriend and family • Wolphie and Solar Designer for mentoring • Spender and Kristof Feiszt for reviewing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc. In the context of this class, a good intro to basic UNIX concepts UNIX 101 man man man 2 chroot Users (UID 0 is root)

370 views • 11 slides
My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy Researcher at DEVCORE CTF Player HITCON / 217 Chroot Co-founder of pwnable.tw Speaker HITB GSEC 2018/AVTokyo 2018/VXCON Outline

1.35k views • 107 slides
Reduced Equations and Special Solutions for Geomorphic Dam-break Flows In celebration of

Reduced Equations and Special Solutions for Geomorphic Dam-break Flows In celebration of

BEM2014 2014/ 10/ 04 Reduced Equations and Special Solutions for Geomorphic Dam-break Flows In celebration of Professor Young Der-Liangs 70th birthday Herv Capart Dept of Civil Engineering National Taiwan University Sources 2 Capart,

511 views • 30 slides
systemd-nspawn is chroot on steroids LinuxCon Europe 2013 Lennart Poettering October 2013

systemd-nspawn is chroot on steroids LinuxCon Europe 2013 Lennart Poettering October 2013

systemd-nspawn is chroot on steroids LinuxCon Europe 2013 Lennart Poettering October 2013 Lennart Poettering systemd-nspawn is chroot on steroids systemd? systemd! Lennart Poettering systemd-nspawn is chroot on steroids Containers! LXC vs.

460 views • 18 slides
The k -sum Problem Solutions and Applications Christiane Peters Ice Break June 8, 2013 Talk

The k -sum Problem Solutions and Applications Christiane Peters Ice Break June 8, 2013 Talk

The k -sum Problem Solutions and Applications Christiane Peters Ice Break June 8, 2013 Talk outline 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 1/42 1. Motivation 2.

845 views • 60 slides
Divide-and-Conquer Divide-and-conquer. Break up problem into several parts. Solve each

Divide-and-Conquer Divide-and-conquer. Break up problem into several parts. Solve each

Divide-and-Conquer Divide-and-conquer. Break up problem into several parts. Solve each part recursively. Combine solutions to sub-problems into overall solution. Most common usage. Break up problem of size n into two equal parts of

145 views • 10 slides
Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2 What is a break-even point? 3 Calculating the Break-Even Point (BEP) in number of units (items) 4 Calculating Break-Even point for a Lemonade

234 views • 8 slides
Retail security gate solutions Industrial security gate solutions Institutional

Retail security gate solutions Industrial security gate solutions Institutional

PHYSICAL SECURITY SOLUTIONS Quantum security gates can help you improve security quickly. Before or after a break-in. Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Office

215 views • 18 slides
A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration 9:00$9:15 welcome 9:15$10:15 Stecker 9:00$10:00 Keating Granot Miller Kelley 10:15$10:45 BREAK 10:00$10:30 BREAK BREAK BREAK BREAK 10:45$11:30

224 views • 8 slides
Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction What is your dream vacation and who would you take with you? In break out rooms discuss the questions for about 5 - 10 minutes Make

210 views • 7 slides
Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part: How to Approach Vulnerability Finding Hints for Break It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

573 views • 56 slides
EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break Longitudinal model-based test as primary analysis in phase III B. Bieth*, D. Renard*, I. Demin*, B. Hamrn*, G. Heimann*, Sigrid Balser** *

402 views • 15 slides
http://ppt.a1ex.wang/md/android-x86.md?print=1 1/12 9/24/2016

http://ppt.a1ex.wang/md/android-x86.md?print=1 1/12 9/24/2016

9/24/2016 chroot android linux - By http://ppt.a1ex.wang/md/android-x86.md?print=1 1/12 9/24/2016 chroot android linux

372 views • 12 slides
Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How

Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How

Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How to Approach Vulnerability Fixing Hints for Fix It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

723 views • 37 slides
Who is Simrae Solutions? Simrae Solutions is a company that specializes in creative solutions

Who is Simrae Solutions? Simrae Solutions is a company that specializes in creative solutions

S IMRAE S OLUTIONS LLC A C OLORADO C ORPORATION Simrae Solutions LLC Create Manage - Promote P.O. Box 6121 Denver, CO 80206 720.432.3015 www.simrae - solutions.com Simrae Solutions LLC Who is Simrae Solutions? Simrae Solutions is a company

483 views • 5 slides
Hope you had a FANTASTIC spring break! Hope you had a FANTASTIC spring break! Thanksgiving CS

Hope you had a FANTASTIC spring break! Hope you had a FANTASTIC spring break! Thanksgiving CS

Hope you had a FANTASTIC spring break! Hope you had a FANTASTIC spring break! Thanksgiving CS 188: Artificial Intelligence Neural Nets (ctd) and IRL Instructor: Anca Dragan --- University of California, Berkeley [These slides were created by

833 views • 80 slides
Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of /etc/shadow File: How would normal users change their password? Two-Tier Approach Implementing fine-grained access control in operating

576 views • 31 slides
Welcome We will begin at 7:30 pm Central Time. OFA Community Engagement Fellowship Spring 2018

Welcome We will begin at 7:30 pm Central Time. OFA Community Engagement Fellowship Spring 2018

Welcome We will begin at 7:30 pm Central Time. OFA Community Engagement Fellowship Spring 2018 / #OFAFellows Alexis Conavay @Al AlexConav avay ay Or Organizing Proje ject Manager Kevin Lane @k @klane2 e228 Tr Training P Project M

730 views • 52 slides
Transition-Based Parsing Joakim Nivre Uppsala University Department of Linguistics and Philology

Transition-Based Parsing Joakim Nivre Uppsala University Department of Linguistics and Philology

Transition-Based Parsing Joakim Nivre Uppsala University Department of Linguistics and Philology joakim.nivre@lingfil.uu.se Transition-Based Parsing 1(19) 1. Transition Systems 2. Greedy Classifier-Based Parsing 3. Beam Search and

1.02k views • 53 slides
Near Optimal Subdivision Algorithms for Real Root Isolation Vikram Sharma 1 and Prashant Batra 2 1

Near Optimal Subdivision Algorithms for Real Root Isolation Vikram Sharma 1 and Prashant Batra 2 1

Near Optimal Subdivision Algorithms for Real Root Isolation Vikram Sharma 1 and Prashant Batra 2 1 Institute of Mathematical Sciences, Chennai, India. 2 Technische Universitt Hamburg-Harburg, Hamburg, Germany. ISSAC, Bath, 2015 V. Sharma and P

1.02k views • 88 slides
Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Quantum Mechanics Quantum Logic Alternative Quantum . . . Square Root of Not: . . . Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of Not Is . . . Why Factoring Large . . . Fuzzy and Quantum

381 views • 17 slides
A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf

A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf

A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf of the CMS and TOTEM Collaborations 8th Beam Telescopes and Test Beam workshop, Tbilisi, Georgia January 27-31, 2020 L. Forthomme (Helsinki

377 views • 14 slides
BISECTION (download slides and .py files follow along!) 6.0001 LECTURE 3 1

BISECTION (download slides and .py files follow along!) 6.0001 LECTURE 3 1

STRING MANIPULATION, GUESS-and-CHECK, APPROXIMATIONS, BISECTION (download slides and .py files follow along!) 6.0001 LECTURE 3 1 6.0001 LECTURE 3 LAST TIME strings branching if/elif/else while loops for

361 views • 21 slides
Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play

Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play

Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play 2-player games game-playing as search with the complication of an opponent General principles of game-playing and search game tree

1.02k views • 77 slides

More recommend