First page Back Continue Last page Summary Graphics
How to break out of chroot
Needs to convert existing files into tools
UML binary executable
- rewrite it to construct chroot-breaker
- install it non-writeable and immutable
Filesystem writeable but non-executable
- rewrite it and make it executable
- writeable by UML uid, but owned by another uid
So, the two existing files will need to be converted into chroot-breaking tools.
The UML binary is already an executable binary, so it is an obvious choice. It can be rewritten so that it becomes the chroot breakout tool.
This can be prevented by making the binary non-writeable and immutable. Actually, immutable is sufficient, but making it unwriteable avoids confusion about what's intended.
Next is the filesystem. It is not an executable binary, but with sufficient rewriting and a permissions change, it could become one. It is writeable, and this is a requirement, since if it weren't, UML would not be able to change its contents and have to mount it as a read-only filesystem. However, if it is owned by a different uid than the UML uid, then the black hat will not be able to make it executable.