Lately, I’ve been working with some older technologies, and I’ve gotten to play with some of the restricted access shells that used to be popular. Many older appliances used to include an sshd that allowed users into a chroot jail with restricted access to binaries. This was done in an attempt to allow the user to access the appliance’s functionality without exposing the internal workings of the application. Fortunately, many chroot jails fail to properly set some essential security bits, assuming that restricting binaries is enough to keep users out of the real filesystem, while also giving users root access to their chroot jail. With just these three things, you can break out of any chroot jail:
- Root access – you’ll need root access *inside* your chroot jail to execute a breakout. This is the weakest link here, but many chroot jails have been improperly configured, as root privileges are used to access the application functionality that the shell is supposed to expose.
- The echo utility – this is built in to several shells, so you can rely on this in many situations.
- A file that you have both write and execute privileges on – if the chroot jail has been properly secured you won’t have access to chmod, but check the filesystem for these privileges. This will allow you to get your breakout on the filesystem and to execute it.
Now for the juicy bit. To break out of your jail, the basic steps are pretty simple. Determine if you have chmod available inside your chroot jail. If you don’t, search for a file with both write and execute privileges . You can use find –executable –writable or ls –lR / | grep wx to search entire partitions for these files. This might be difficult if you don’t have find or grep, but you can check common locations for executables like /bin/. Remember the path of this file, as you’ll have to overwrite it later. Spin up a VM with the same kernel as the machine hosting the chroot jail you’re targeting. Grab code for a chroot jail (there are examples all over the internet). For the purposes of this demonstration, I’ve put my code into breakout.c. All this code does is create a file descriptor for the current directory and then makes a new chroot jail in a subdirectory. Since the program has saved a file descriptor to a directory outside this new sub-chroot jail, the program will use fchdir to hop back out of the new chroot jail and onto the main directory structure. Then it cd’s all the way back up to the real root where it execs a new shell. Use gcc to compile the code into a binary on your VM. Use hexdump with the command below to dump the binary into the format you’ll need. This command works just like a C printf statement:
hexdump -ve ‘”\x” 1/1 “%02x”‘ bin.o > echo_this
Copy the contents of the file echo_this, and paste them into an echo command inside the chroot jail:
Echo –ne x7fx45x4cx46… > name_of_file_from_first_step (ie: /bin/writeableBinary)
Finally, you can just execute the file you’ve just overwritten to escape the jail. This will provide you with a root shell on the complete file system of the machine you were jailed in earlier. Preventing this is actually pretty simple, and just relies on some linux security basics that sometimes get neglected in these chroot jails. Don’t let the user run as root, if you can avoid it. If a user has to run as root, restrict access to binaries, and make sure there aren’t any files that they have both write and execute permissions on.