Subject: misc/2634: /usr/sbin/chroot is a bogon
To: None <gnats-bugs@NetBSD.ORG>
From: None <douzzer@mit.edu>
List: netbsd-bugs
Date: 07/15/1996 23:10:44
>Number:         2634
>Category:       misc
>Synopsis:       /usr/sbin/chroot is doomed
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    misc-bug-people (Misc Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 16 02:35:00 1996
>Last-Modified:
>Originator:     Daniel G. Pouzzner
>Organization:
just me
>Release:        1.2A
>Environment:
>Description:
	hey guys, /usr/sbin/chroot can not possibly work out.
if it ever leaves experimental status and goes setuid in a release,
here is what will happen:

-hacker would find a setuid-root program on a partition he has write
on.

-he would create a bogus directory hierarchy with a homebrew
${top}/usr/lib/libc.so and ${top}/usr/libexec/ld.so, with (for
example) strrchr() replaced with a 'system("/sh")'

-he would put a hard link to the setuid program in ${top}/haha, plus
copies of /bin/sh, /bin/chmod, and /bin/chown.

-he would then do a "chroot ${top} /haha" and, voila, he has a root
shell. /chown root /sh; /chmod 4755 /sh ; exit

-${top}/sh now yields immediate full root

>How-To-Repeat:
	this is all hypothetical :-]
>Fix:
	i started work tonight on a program called "safexec" that will
launch untrustable programs in a completely compartmentalized fashion,
under uid/gid nobody, chroot'd to nowhere special, with a blank
environment save what is passed on the safexec command line.

	when i feel it is ready for prime time i'll let you know, and
also submit it to CERT. that will probably be in the next few days (i
tend not to dawdle).

-douzzer
 Menlo Park, CA
>Audit-Trail:
>Unformatted:
System: NetBSD lerome 1.1 NetBSD 1.1 (GENERIC_SCSI3) #9: Tue Nov 21 20:15:17 MET 1995 pk@neon:/usr/src1/sys/arch/sparc/compile/GENERIC_SCSI3 sparc