freebsd security - Dec 2011 - Escaping from a jail with root privileges on the host

Hello,

Today I've managed to escape from a jail by accident and ended up with
root access to the host's filesystem.

Here's what I did:

 * Using ezjail for managing my jails
 * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
 * This works only when I use sudo, and cannot reproduce if I execute
everything as root

First, created a folder *inside* the jail and cd to it:

 host$ sudo ezjail-admin console jail-test

 jail-test# id
 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

 jail-test# mkdir ~/jail-folder
 jail-test# cd ~/jail-folder

 jail-test# pwd
 /root/jail-folder

Then from the host machine I've moved this folder to the cwd.

host$ pwd
/usr/home/mra

host$ sudo mv /home/jails/jail-test/root/jail-folder .

And then here's where the jail ends up :)

 jail-test# pwd
 /usr/home/mra/jail-folder
>From here on the Jail's root user has full root privileges to the
host's filesystem.

Not sure if it is sudo or jail issue, and would be nice if someone
with more experience can check this up :)

Regards,
Marin

-- 
Marin Atanasov Nikolov

dnaeon AT gmail DOT com
daemon AT unix-heaven DOT org
http://www.unix-heaven.org/

On 28. Dec 2011, at 08:58 , Marin Atanasov Nikolov wrote:
> Hello,
> 
> Today I've managed to escape from a jail by accident and ended up with
> root access to the host's filesystem.
This has been discussed to lengths within the last year (I think it was).

See the updated man page:
http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.

In message
<CAJ-UWtQnYWb8TUzk91Z+CxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com>
, Marin Atanasov Nikolov writes:
>Then from the host machine I've moved this folder to the cwd.
>[...]
>Not sure if it is sudo or jail issue, and would be nice if someone
>with more experience can check this up :)
That's an "error-42" issue.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote:
> Hello,
>
> Today I've managed to escape from a jail by accident and ended up with
> root access to the host's filesystem.
>
> Here's what I did:
>
>   * Using ezjail for managing my jails
>   * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
>   * This works only when I use sudo, and cannot reproduce if I execute
> everything as root
>
> First, created a folder *inside* the jail and cd to it:
>
>   host$ sudo ezjail-admin console jail-test
>
>   jail-test# id
>   uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
>
>   jail-test# mkdir ~/jail-folder
>   jail-test# cd ~/jail-folder
>
>   jail-test# pwd
>   /root/jail-folder
>
> Then from the host machine I've moved this folder to the cwd.
>
> host$ pwd
> /usr/home/mra
>
> host$ sudo mv /home/jails/jail-test/root/jail-folder .
>
> And then here's where the jail ends up :)
>
>   jail-test# pwd
>   /usr/home/mra/jail-folder
>
> > From here on the Jail's root user has full root privileges to the
> host's filesystem.
>
> Not sure if it is sudo or jail issue, and would be nice if someone
> with more experience can check this up :)
This is not really "escaping".
It's more like "being sprung by your friends outside" since
it requires outside participation.
The jailed process cannot do it by itself.
Now what would be more interesting is if the jailed process can
make a new jail inside the old jail and then 'spring' the inmate there.
will that inmate be still inside the parent jail, or outside both jails?
> Regards,
> Marin
>

[minus -stable]

On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote:
> Hello,
>
> Today I've managed to escape from a jail by accident and ended up with
> root access to the host's filesystem.
>
> Here's what I did:
>
> * Using ezjail for managing my jails
> * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
> * This works only when I use sudo, and cannot reproduce if I execute
> everything as root
I cannot see how the use of sudo would be relevant -- the fundametal issue 
merely requires the vnode of the directory in question to be moved (not 
copied) past the jail's root vnode.  Could you give a bit more detail 
about how you came to believe that sudo is necessary?

-Ben Kaduk

On 12/28/2011 02:58 AM, Marin Atanasov Nikolov wrote:
> Hello,
>
> Today I've managed to escape from a jail by accident and ended up with
> root access to the host's filesystem.
>
> Here's what I did:
>
>   * Using ezjail for managing my jails
>   * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
>   * This works only when I use sudo, and cannot reproduce if I execute
> everything as root
>
> First, created a folder *inside* the jail and cd to it:
>
>   host$ sudo ezjail-admin console jail-test
>
>   jail-test# id
>   uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
>
>   jail-test# mkdir ~/jail-folder
>   jail-test# cd ~/jail-folder
>
>   jail-test# pwd
>   /root/jail-folder
>
> Then from the host machine I've moved this folder to the cwd.
>
> host$ pwd
> /usr/home/mra
>
> host$ sudo mv /home/jails/jail-test/root/jail-folder .
>
> And then here's where the jail ends up :)
>
>   jail-test# pwd
>   /usr/home/mra/jail-folder
>
>> From here on the Jail's root user has full root privileges to the
> host's filesystem.
>
> Not sure if it is sudo or jail issue, and would be nice if someone
> with more experience can check this up :)
>
> Regards,
> Marin
>
This is rather fascinating.

I agree with the poster that the jail didn't really escape, but was 
"sprung from the outside."

But more than that, I imagine it would be very hard to stop this without 
either completely rethinking how unix filesystems work, or adding 
significant overhead to the OS so that it checks every single "mv" 
command against all existing jails.

I think the warning in the man page 
http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286
is a better way to go.

Stephen