Chroot syscall is part of POSIX. All Unix systems have this syscall, so it is possible to create separated environments. Until this presentation there was no documentation/tutorial about the techniques how to create a reasonably "secure" chroot environment or how to breakout from a misconfigured one. Now, with this presentation, I attempt to create a knowledge base for this topic. I've managed to collect 6 different techniques that are working fully on Linuxes (not all of them requires root privs). Furthermore I wrote a tool that automates the breakouts and helps the user to get a shell outside of the chrooted environment. This tool is an opensource tool, already released. The tool supports only Linux at the moment, but will be improved until the conference. Additionally I tested 7 Unix systems overall and compared my findings there. I'm going to explain all of the techniques that are implemented in the tool, how they work and why and about the difference between operating systems.

1. Chw00t: How to break out
from various chroot solutions
Balázs Bucsay
OSCE, OSCP, GIAC GPEN, OSWP
http://rycon.hu/ - https://www.mrg-effitas.com/
@xoreipeip

2. Bio / Balazs Bucsay
• Hungarian Hacker
• Strictly technical certificates: OSCE, OSCP, OSWP and GIAC GPEN
• Works for MRG Effitas - research, AV/endpoint security product tests
• Started with ring0 debuggers and disassemblers in 2000 (13 years
old)
• Major project in 2009: GI John a distributed password cracker
• Presentations around the world (Atlanta, Moscow, London, Oslo)
• Webpage: http://rycon.hu
• Twitter: @xoreipeip
• Linkedin: http://www.linkedin.com/in/bucsayb

3. Chroot’s brief history
• Introduced in Version 7 Unix - 1979
• Inherited from V7 UNIX to BSD - 1982
• Hardened version was implemented in FreeBSD - 2000
• Virtuozzo (OpenVZ) containers - 2000
• Chroot on Steroids: Solaris container - 2005
• LXC: Linux Containers - 2008

4. What is Chroot?
• A privileged system call on Unix systems
• Changes the dedicated root vnode of a process (all
children inherit this)
• Some OS stores chroots in linked lists
• Prevents access to outside of the new root
• Requires root: prevents crafted chroots for privilege
escalation

5. What’s this used for?
• Testing environments
• Dependency control
• Compatibility
• Recovery
• Privilege separation??

8. Requirements for reasonable
chroot
• All directories must be root:root owned
• Superuser process cannot be run in chroot
• Distinct and unique user (uid, gid) has to be used
• No sensitive files (or files at all) can be modified or
created

9. Requirements for reasonable
chroot
• Close all file descriptors before chrooting
• chdir before chroot
• /proc should not be mounted
• + Use /var/empty for empty environment

10. Chroot scenarios
Shell access:
• SSH access to a chrooted environment
• Chrooted Apache running with mod_cgi/mod_php/…
• Exploiting a vulnerable chrooted app
Only filesystem access:
• Chrooted SCP/FTP access

11. Breakage techniques
mostly summarised
• Get root (not all techniques need it)
• Get access to a directory’s file descriptor outside of the
chroot
• Find original root
• Chroot into that
• Escaped
• Only a few OS stores chroots in linked lists, if you can break
out of one, you broke out all of them

12. Example structure
Original root
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

13. Example structure
New root (chrooted once)
/chroot
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

14. Example structure
New root (chrooted twice)
/chroot2
etc home usr
user7
bin
user6

15. Breakage techniques:
kernel exploit/module
Not going to talk about this
#root:
MIGHT
needed

16. Breakage techniques:
misconfigurations
• Hard to recognise and exploit
• Wrong permissions on files or directories
• Dynamic loading of shared libraries
• Hardlinked suid/sgid binaries using chrooted shared libraries
• For example:
• /etc/passwd ; /etc/shadow
• /lib/libpam.so.0 - used by /bin/su
• These can be used to run code as root
#root:
NOT
needed

17. Breakage techniques:
classic
• Oldest and most trivial
• mkdir(d); chroot(d); cd ../../../; chroot(.)
• chroot syscall does not chdir into the directory, stays
outside
#root:
needed

18. Root and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4user3 user5

19. Root barrier and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5

20. Root barrier and CWD
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5

21. Breakage techniques:
classic+fd saving
• Based on the classic
• Saving the file descriptor of CWD before chroot
• mkdir(d); n=open(.); chroot(d); fchdir(n); cd ../../../../;
chroot(.)
• Some OS might change the CWD to the chrooted one
#root:
needed

22. Root, CWD and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4user3 user5

23. Root barrier and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5

24. Root barrier and saved fd
/
bin etc home usr
/ user1 user2
bin etc home usr
user4/ user5

25. Breakage techniques:
Unix Domain Sockets
• UDS are similar to Internet sockets
• File descriptors can be passed thru
• Creating secondary chroot and passing outside fd thru
• Or using outside help (not really realistic)
• Abstract UDS does not require filesystem access
#root:
needed

26. Root(0) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

27. Root barrier(1) parent forks
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

28. Root barrier(2) forked child
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

29. Root barrier(1) and FD (UDS)
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

30. Child Root barrier(2) and FD (UDS)
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

31. Child Root barrier(2) and FD (UDS)
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

32. Breakage techniques:
mount()
• Mounting root device into a directory
• Chrooting into that directory
• Linux is not restrictive on mounting
#root:
needed

33. Breakage techniques:
/proc
• Mounting procfs into a directory
• Looking for a pid that has a different root/cwd entry
• for example: /proc/1/root
• chroot into that entry
#root:
needed

34. Breakage techniques:
move-out-of-chroot
• The reason why I started to work on this
• Creating chroot and a directory in it
• Use the directory for CWD
• Move the directory out of the chroot
#root:
MIGHT
needed

35. Root(0) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

36. Root barrier(1) parent forks
/
bin etc home usr
/ user1 user2
bin etc home usr
user3chroot2 user4 user5
etc home usr
user7
bin
user6

37. Root barrier(2) forked child
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

38. Root barrier(2) and CWD
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

39. Root barrier(2) and user7 moved out
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

40. Root barrier(2) and user7 moved out
/
bin etc home usr
chroot user1 user2
bin etc home usr
user3/ user4 user5
etc home usr
user7
bin
user6

41. Breakage techniques:
ptrace()
• System call to observe other processes
• Root can attach to any processes
• User can attach to same uid processes (when
euid=uid)
• Change original code and run shellcode
#root:
NOT
needed

42. Question
Tell me a service that is usually chrooted

43. DEMO

44. Results
Debian 7.8;2.6.32/Kali
3.12
Ubuntu
14.04.1;3.13.0-32-
generic
DragonFlyBSD
4.0.5 x86_64
FreeBSD 10.-
RELEASE amd64
NetBSD 6.1.4
amd64
OpenBSD 5.5 amd64 Solaris 5.11 11.1
i386
Mac OS X
Classic
YES YES DoS NO NO NO YES YES
Classic FD
YES YES NO NO NO NO YES YES
Unix Domain Sockets
YES YES DoS PARTIALLY NO PARTIALLY? YES YES
/proc
YES YES NO NO NO NO YES NO
Mount
YES YES NO NO NO NO NO NO
move out of chroot
YES YES DoS PARTIALLY NO YES YES YES
Ptrace
YES PARTIALLY NO? YES NO YES N/A N/A

45. Results (FreeBSD jail)
FreeBSD 10. -
RELEASE amd64
FreeBSD 10. Jail -
RELEASE amd64
Classic
NO NO
Classic FD NO NO
Unix Domain Sockets PARTIALLY PARTIALLY
Mount NO NO
/proc NO NO
move-out-of-chroot PARTIALLY PARTIALLY
Ptrace YES NO

46. Filesystem access only
• Move-out-of-chroot still works on FTP/SCP
• Privilege escalation is possible on misconfigured
environment
• Shell can be popped by replacing or placing shared
libraries/malicious files in chroot

47. Linux Containers
• Privileged container (no user namespaces) can create
nested containers
• Host container has access to guest container’s
filesystem
• Based on the move-out-of-chroot technique, real
host’s file system is accessible

48. DEMO 2

49. Tool
https://www.github.com/earthquake/chw00t/

50. Future work
• Testing new UNIX operating systems (eg. AIX, HP-UX)
• Looking for other techniques

51. Future work

52. Greetz to:
• My girlfriend and family
• Wolphie and Solar Designer for mentoring
• Spender and Kristof Feiszt for reviewing

53. References
• http://www.bpfh.net/simes/computing/chroot-break.html
• http://www.unixwiz.net/techtips/chroot-practices.html
• http://linux-vserver.org/Secure_chroot_Barrier
• http://phrack.org/issues/59/12.html
• http://lwn.net/Articles/421933/
• https://securityblog.redhat.com/2013/03/27/is-chroot-a-
security-feature/

54. http://rycon.hu - https://www.mrg-effitas.com/
https://github.com/earthquake
@xoreipeip
Thank you
!
Q&A