On Mon, 28 Jan 2002, Andrew Griffiths wrote:
> Program: User-mode-linux
> Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
> Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
>
> Now for something completely different. Anything in []'s is my comments to
> my article... deal with it.
> <snip>
>
> A user proccess can write into kernel memory, which will allow a person
> to get root inside the uml "box", and the possibility to break out of
> the uml "box", into the real one.
>
> This can happen even if the jail and honeypot options are turned on. [
> Though I suspect the version i was testing was half-way through
> implementing them ]
you're right about the "half-way through" bit. 2.4.17-9um is much better
in this respect.
the honeypot option explicitly *reduces* security:
/usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot
honeypot
This makes UML put process stacks in the same location as they are
on the host, allowing expoits such as stack smashes to work against
UML.
/usr/src/uml/linux$ ./linux --version
2.4.16-2um
as of 2.4.17-9um, the "honeypot" option turns on the "jail" option; thus
the most secure setup is to run uml with "jail" and not "honeypot".
also, running uml itself within a chroot, as its own UID, and with no
capabilities, quite effectively limits the damage an attacker can do in
breaking the uml container. but you all knew that already.
-=:[ ajax (firest0rm)
