The content of this blog post is intended for the hackers that have found themselves frustrated as a result of privilege escalation difficulties in the context of a chroot(2) jail environment. Such a situation can occur because of shell account access where the environment or shell itself have been restricted, successfully executing shellcode via overflow in the context of a network daemon, etc. Before I begin, I’d just like to mention that newer versions of Sun Microsystems’ Solaris (now, the Oracle Solaris operating system) Containers, also known as zones serve similar purpose to chroot prisons. Also, I won’t be discussing kernel space memory corruption as a means of subverting a jail; this subject was touched upon in a Phrack article entitled Smashing The Kernel Stack For Fun And Profit (P60-6).
First, I’d like to state that sometimes much information can be gathered simply by looking around the jailed directory hierarchy, since system administrators occasionally copy files from the real root filesystem into the jail. For example, /etc/ld.so.cache may contain pathnames to libraries that exist in the real root, allowing network daemons and other programs that are dynamically linked with vulnerable libraries to be targeted.
Second, it is not entirely uncommon for procfs to be mounted at the usual /proc location within the jail since it’s a prerequisite for many useful utilities. This allows more information to be gathered such as network configuration settings, Internet connections, running processes, and more.. For example, information displayed by netstat(8) can be gleaned from /proc/net/tcp and /proc/net/udp even though the netstat binary may not exist in the chroot environment. The bash shell script below demonstrates this ability:
#!/bin/bash # netstat.bash by Derek Callaway <decal@security-objectives.com> # Sun Feb 14 15:56:26 EST 2010 DC/SO function netstat() { echo 'Active Internet connections (w/o servers)' echo -e 'Proto\tLocal Addr\t\tForeign Addr' while read -r sl la ra st tx rx tr tm rn smt uid do if [ $sl == 'sl' ];then continue;fi l1=${la:0:2}&&l2=${la:2:2}&&l3=${la:4:2}&&l4=${la:6:2}&&li=${la:10:4} r1=${ra:0:2}&&r2=${ra:2:2}&&r3=${ra:4:2}&&r4=${ra:6:2}&&ri=${ra:10:4} fmt="tcp\t%u.%u.%u.%u:%u\t%u.%u.%u.%u:%u\n" if [ $r1 == '00' ];then fmt="tcp\t%u.%u.%u.%u:%u\t\t%u.%u.%u.%u:%u\n";fi printf $fmt 0x$l4 0x$l3 0x$l2 0x$l1 0x$li 0x$r4 0x$r3 0x$r2 0x$r1 0x$ri done < /proc/net/tcp # Replace with /proc/net/udp to view UDP info
If the chmod binary is not present in the jail then you can make the script usable by simply running: bash script.sh, source script.sh, . script.sh, etc. These commands will work even if the /home directory is mounted with the noexec option since bash (or whatever shell you’re using) must be in a directory on a partition that allows execution such as /bin. Of course, you’re out of luck in that particular scenario if you want to execute an ELF binary under $HOME, although some combination of indirect attack techniques may still lead to the desired effect.
Similarly, a makeshift route(8) script can be created to display information about the IP routing table which is accessible through /proc/net/route. Lots of useful information can be gathered from procfs in this manner. Refer to the manual pages and /usr/src/linux/Documentation/filesystems/proc.txt for many more possibilities.
If file transfer services such as SCP and (S)FTP are not configured for the prison, then binary files can still be copied to the target system. If SSH access is available then cat file.bin | ssh -l user@host.dom ‘cat>file.bin’ will suffice. If SSH is not an option, then it shouldn’t be very difficult to write a script locally that converts the file contents to hexadecimal and provides the needed echo -ne ‘\x90’ styled commands which will construct the file auto-magically on the remote system.
In the second part of this blog duo I will provide the source code to a custom job shell that has built-in commands based on system call prototypes in order to circumvent the absence of important commands from packages like GNU fileutils, i.e. chmod(1), chown(1), and others. I’ll be demonstrating another shell script that takes advantage of procfs presence as well so check back soon for more useful tidbits. You can find notifications of new System of Systems blog postings on our Twitter feed, @secobjs.