0

As part of university assignment I'm researching the ways an attacker can bypass chroot jail. Naturally, I've seen that there are plenty of ways to attempt privilege escalation using vulnerable setuid executables, dirty cow, and other exploits which makes escaping the jail trivial.

However, I'm curios if there are any ways attacker can harm the system while remaining in chroot jail. Since to my knowledge chroot was never intended as a sandboxing tool, I feel like it might be the case.

For example, can a fork bomb launched in chroot jail consume process space of a system? Since chroot only changes the visible scope for directories that sounds possible.

Nikolai Savulkin
  • 103
  • 2
  • For example, see https://klarasystems.com/articles/controlling-resource-limits-with-rctl-in-freebsd/ System resources can be protected in any number of ways, depending on what you're trying to protect against. E.g., FreeBSD jails are not "trivial" to escape, but neither are they just a simple chroot. – Jim L. Jun 06 '23 at 22:35

1 Answers1

2

can a fork bomb launched in chroot jail consume process space of a system?

Yes. Why shouldn't it. chroot is just a method to pivot the root of the filesystem "view", not to do anything about anything else in that system that's not about file paths.

Marcus Müller
  • 28,836
  • Thank you, I did assume it was only changing the perception of filesystem but I was a bit confused since despite being a testing tool it seem to be frequently used in security context. Hence I thought it might do other things like perhaps limiting the scope of environmental variables, namespaces or similar. – Nikolai Savulkin Jun 04 '23 at 13:38
  • 2
    Heck, if you compromise uid 0 inside a chroot you can probably manually mount the actual / and escape it that way. All chroot does is to restrict what's potentially available to an attacker and thereby limit his options for achieving a uid 0 compromise. – Shadur-don't-feed-the-AI Jun 04 '23 at 20:27
  • @Shadur mount is not even needed. This old Unix trick (the page is from 2005 but the trick older) still works on Linux (apparently not on *BSD when the sysctl chroot_allow_open_directories is not toggled): http://www.ouah.org/chroot-break.html . Just one #include <stdlib.h> missing and one pair of quotes to fix in a fprintf for it to work. – A.B Jun 05 '23 at 07:07
  • What's a reasonable bounty to offer to anyone who wants to try? :) – Jim L. Jun 06 '23 at 22:36