chroot

• Unix has a little-known system call chroot()

• It's like chdir()

• But instead of changing a process's idea of the current directory...

  • It changes the process's idea of where the root directory is

• Idea:

  1. Manufacture /tmp/attack/etc/passwd, /tmp/attack/bin/sh, etc.

  2. chroot("/tmp/attack")

  3. Run su root

• su will prompt for the root password

  • Will check it against /etc/passwd

  • But /etc/passwd is really /tmp/attack/etc/passwd

  • Then it will run a shell for us with UID 0!

• Then we can wreak all sorts of havoc

• Solution: only root may use chroot().

Next

Copyright © 2005 M. J. Dominus