On Sun, 2018-01-07 at 18:41 +0000, halfdog wrote: > Hello list, > > I created a page to demonstrate, what would happen when chroot > root directory is writeable. In fact, code execution is possible > already, when only /etc and /bin are writable. I also tried to > escape the chroot jail, but that did not work for non-root users. > > As the 2009 CVE activities mention, that creating hardlinks > from outside gives trivial chroot, I showed that any cooperating > access from the outside - no matter if it is the same user or > another one - leads to root privilege escalation, even without > hardlinks, just using the default behaviour of any shared linked > SUID binary. > > hd > > [0] > https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution > / Thank you for the article describing this issue in understandable manner. What struck my attention is the reading of the /etc/ssh/sshrc from chroot. Is it even correct that OpenSSH is searching for the /etc/ssh/sshrc file AFTER the chroot? No, I am not advocating the writable chroots, but is sounds to me wrong, or at least nothing I would expect. Even though it is not exploitable out of the box, it might be if one chooses "wrong" names for users directories (well ... etc/ might not be too uncommon). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
