Merken

Chw00t: Breaking Unices' chroot solutions

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
this should my name is large which very and I'm going to present you this topic and for that we will have no press coverage in the future because it's a technical and more generous and understand what I'm talking about OK so that was a bit
about me and the Hungarian hacker I have for strictly technical certificates listed on the slide and currently unemployed by choice doing research president and lots of other stuff at the moment I started to do the security in the 2 thousands of wheat Springel debuggers and is assemblers and I had a major project in 2009 I had a presentation of all on the skull from so many members the project was called GI John and I had to say about so that our presentation on presentations on the globe in the US UK brush honorary and of course even with the best you can find my that page on the bottom of the slides take cone so if you like my presentation please follow me on Twitter and that is my LinkedIn profile as well structured community of scientists and when he was sort of its history of those features at 1st it was implemented in version 7 units in 1979 then later you got an inherited is inherited in the years the and the in 2000 the previously implemented hot and version of the C seed should it is called the jails in the same year of your or previously called open easy implemented the containers was all containers and they're are often arise in in 5 years later the US the sellers implemented something similar it was called the seizure was also it's but it's this this a lot so those containers and Elizabeth later in 2008 all there was something called Linux containers introduced in the Linux kernel it this part of the carrier right now so what's
what's siege routes between cities with a system called reduce system call you can change a process so of all processes in the operating system has a process structure in the memory that process structure source different kind of entries different kind of process properties for example of the the current working directory being old and you to you know that you can change is in the current working directory Renaud just using the CD comments order see each year system call you can change a little bit more more so it's a little bit more harder harder to change rule but the would be on the floor of the process because you have to call this the system called indicator out and that's the previous system cause all you can call it and there is balance sheet 1 it's a privileged and requires rules because it is an ongoing need user could call it that alternate it's really easy to you the rest your privileges so it's pretty easy to to you create a privilege escalation exploits the media system call on privileged so why do we need this it's operatively stuff if you want to you in close your process into a directory so you just call this this this system called and the process will think there is nothing beyond the root directory anymore what is it useful it is mainly used for testing testing environments dependency control corporate ability recovery and previous separation for example of the recovery phase but I can tell you about if you have a question expression you come up with it anymore you just grab a live CD booted in there you have a working cannot formalise city and the you command to partition the lights city and see shooting intellectual part what each of the crashed that you will have a working can now from the lab and then they are not really working 5 system from the Ford part for the partition for the cash you see and that you can use of working in the next 2 recovery your your cash PC and make it work again that's that's the basic use of the solution if we are talking about recovery and it is used for previous separation which is sometimes a really good idea but you can decide after my presentation
if you want to use it or not so before I stop before I start the star that matters I would like to ask you the question that what do you think is the 2nd feature procedures show your hands if you think so we talking to you have to say
no sorry this is not the 2nd is a feature that came in time it was lot of scenes that data alive it shouldn't be use the 2nd feature so i have so
you shouldn't use exact is as it's 1 half that is half the the presentation you would like to increase the Jews still you still want to create a series would then please read do these 2 sides of the my presentation again because that way you can make a more secular let's say but more reasonable Siegel's 1st of all you have to make sure that all of the directories are you are owned by the user and the group that more that you have to make sure that most of the users processes running into the future and if you are using and you will use that users in decisions you have to make sure that the user ideas and by these are distinct and and and unique ID is it's always you shouldn't mix of being the origin of systems and you have to make sure also that the most sensitive files can be created in diet there is also a modified and if you want to uh programming coding that application of the of the sea jilted order Overview use root system called and you have to make sure that you close all of the 5 descriptor lost before calling that system call and you use the CD you check the current working directory of the process before changing the the roots root of the process because if you forget these points it is more using TD-Leaf to break off from the station and that allows that not least you shouldn't have to prepare for us at all because it's really dangerous that's for form for the security of the season of the environment and if you want to use an empty 5 systems or empty directory for the procedure to the environment just use of warranty dietary because there's a reason why is there sort of memory that you have to deal with the issues and that you have basically 2 scenarios one's by you have shall axis and the other 1 then you only have 5 system access but you have some access for example you got necessary job and you can just as a staging into December and you will get and the due to the environment that cannot leave your directory you just enclosed in that directory structure and other other scenarios could be regarding shared access may you have it sees rooted opportunities and that you have some how of 80 you execute scripts on the server indeed and in that environment these pieces strips or basketball or whatever and certain 1 for example is you have the work the application that you have an x 44 and that's application is rooted in you can execute any kind of machine code in that column in in the context of the that's 1 of the applications that that's another scenario and the answer is we are talking about 5 system access them you can think of all solution to get inner city services for example was from you have about page or you so that page previously and that was hosted in future hosting company server the ownership of things that and those companies most of the time you see Judith FTP servers so you've got an export problems due to your web page you can use that that the baby and you will be left your dietary you cannot you cannot access the UGC being or any other dietary just your home right so you can upload your files there but you cannot leave that I'm going to present you 8 or 7 techniques how to break all decisions most of the techniques not all of them based on the same scenario that somehow you you get shoots you have rules excess due to the environment they somehow you have to get a file descriptor outside of the directory and then you have to find that when you have that you can just the decision to the environment I mean I'm going to show you how and find the original roots grown efficient system called again that you will be in the origin of the root again and that's the you skate I have to I have to mention that that this is working really well on most of the US is for example bottle on the previously and for example previously years this is substituted working that's not because previously source the route you know what's and another kind of stuff in linguistic source such as a process structure that you have 1 entry and you can always writing it has a link to a story few changes to the list we'll be ordered form or the entry and that actually have the last uh Seagal at the new rules and if you break out there you will have the last just before the last roots so you can actually that so it's a it's a bit tricky of previously so let's see how he's ropes uses the full file system you have the rules here on the top you have well insisted that is just under the law of and the blue and you have the seasonal dietary we have all the necessary directed indices c-agent in the whole universe usually do so in order to make the value cost system called on the siege of battery that will be the root of the process so it won't be able to see anything else although the director and so the process we saying that the roots and there is no way to to leave that should be and if you click on this is again because this is and your process will be lowered in the other structure so it won't be able to see the remaining parts if if you manage somehow to to broker from this decision at environment 1 units you will see the full process by system if you do the search on Free BSD for example because it's using the linguistic it will be able to see just this acidulated environment the
first one the 1st of this is exactly what I'm not going to tell you about it's basically gonna exploitation are only acting emotions scanner module when you do that you have route you have access to the account space you can modify anything in again as this it can modify the process structures fell and if you do that you can just over variety the process structure of the data being told that you are looking for a new outside but it's it's a really on the topic then exploitation so I'm not going to tell you anything more about it 0 that say
there was that it is the this configuration is always for example if you have a seizure to the environment and the FTC basalt 5 is modifiable for any user right user then you can edit you can just replace your you ID user ID and password 5 5 and if you log in again you have you because you just replace your views and ideally at 0 or if you have a hardening pseudobinary and you have the lead for example the being as you and you have the or use of and dietary writable for any user you can just replaced or plays a shared library that is having that that's has your code that has your call and the binary this each has a serious bits on its being execute called in privileged context of course so that Stuart is all you can get to it in the in the usual directory sometimes it's really hard to define these flows and exploit those but you if you have some options than just just go there and look for these these folds OK the 1st technique is a very old and trivial if you will see usually escape seizures biopsies usually by post to or anything guys desert in what you will find if you want to talk about this topic with anybody else who knows what's the usual to bypass that will talk about this the use of flow I I sent the letter of all my presentation techniques the units can lists and came back this the technique that they brought me that they this technique and they didn't care about my technique which is different from so I said OK you know very so I want to argue with you so let me show you this is the full 5 system we have a process which is already see is rooted in Europe the this is the origin of the world but it is it's not accessible and these great directors are not accessible from the process this is the only dietary which is not this is the root directory of the of the process and averaging law is it accessible for the process of course and we want to break all of this is the basic scenario right so what we are doing is we change the current working directory for example for example just see the whole so this will be our current working directory and after that we could comment on the users to directly that he be or a new so that's the initiative to access anything outside right that's the situation but what's really happening here because our current working directory is outside of our rules that you will be able to access everything because the other on the outside right so that's that's the brilliant basic the classic technique what is what is known for a really long time at least for 10 15 years and the 2nd technique is based on the 1st i think it's almost the same but here the not using
the current working directory as you can see I already inside the users and I'm going to call the the system call on this directory to we want to be able to access anything outside but before I do that I just went home directory and acidified descriptors that is that is pointing on these factors and after I call see issues of system called again on that directory will have received fideistic store all again so that they will be able to be able to see all of the directories again it's basically the same but there but there's a difference between the techniques it is the main focus this is the certificate it's really nice looking at the 1 and so you news domain so that's there and you you are familiar with this it's like Internet a letter of something but you don't have to do you have any you don't need any let's look interface on your unions books because it's working dollar network network in excess if you want to do this so that you have to bind and the sum only so that it will create a file on the file system and from the other process you can just connect to that file and that's the comparison you can communicate between the 2 processes and the best thing of all this that you can best to different structures especially for example file descriptors and and it's out of a test in the future salt only notes we have an even better version of the news domain so that's it is called also use them useful but it doesn't create any flies we just works so does not even require file system access so this is the 5
system that we have or process is the shooting that directed the can execute any processes and 1 in binary in that Seagal today the environment and you want to break out so what you are doing is the start the process that you for work and create child process that you have received in the directive that the that that time you have to to use different processes 1 is the rules that 1 of the ponds and the other 1 is the child so what you're doing is you're going back to the Department of process and we also can be indirectly received fight is typical of the set up of Unix domain so that in the in the all in departments and we connect to students in this domain so from the child and that they can communicate between the the 2 processes and the campus through the beam and 5 descriptor and that child will be all sides of the root again and that we will be able to access the full 5 6 the force technique is moment this is the reason may be the most trivial we just look for the root partition of the UNIX books for because it's working on ending so like the Linux we are we are looking forward to partition of the Linux spokes mounted into and dietary gender dietary to that moment each point of point and that's the shooting that so we'll get the full phi system that he wanted and this this technical like a so it's working only on its because this is not just a perspective on mounting you can mount a partition or anything else 7 times if you like this technique is proper you come on the proper faster and the proper 1st of you you have all the information of all processes if you go into the protocol your new system than there you will find lots of numbers that those are the PID is of the process is in that directory you will find different entries for example the the neural responses has the the PID 1 may be all but I don't think so some should noise so this is the beginning of the process which helps you boot you're always and this is the the unit has always the 1st that the PID 1 and that has always the right through so you just don't see it should include a directory and you will be outside of the of the size of the of the usual to the environment this is this 2nd world of Siegel's this was that what by around 5 years ago but I didn't do anything with it and last I maybe I should be a presentation of some research on it so that's why I'm here it's loose this similarity to other tactics part of it has a really and other related you'd be you'd you that you can use it on 5 system access as tho
I'm going to show you that it's not so this is the fastest of the decision to the in the in the directory again and the Department for the process again child is C rooted in that directory and then it changes the child changes the current working directory to the user 7 directors and what the parents we'll do is just move out the dietary outside of the rules that they will be able to see the whole by system again the 7th 2nd stage teachers so this is the best I guess it's really cool uh this is another of the system could reduce system called which is on previous system called you cannot push to any process on the on the server on systems and do a lots of things for example just replace the running could be your with your code so in that way you can execute your shot codes in the contest all on in the context of the other processes of course it should you can or testimony process on the system and if you have a privileges you can only offer to those processes that has your affect the UID only on so you would only to stand out but still other process is no longer use so before I go into the more I have a drink here with me if you know the name discourse quality this is a gift for you if you can also this question before I buy as expression but you already see that so you can just think of all this this is an Estonian when all called so you can gain just after the presentation if you like and this is something I think so maybe you know it's it's it's called costs so the question would be done this service that is usually situated if you pick 1 sorry I don't hear higher vine on dynamic and you got it so you can get it after the presentation of the something so the
landing on the the projector is naturally period so I hope you will see expand easier for you to read but you will manage it I guess what they I I
needed to always changing over these of so I had my testing environment just here as you can see I have all the necessary directors using them in the directory for example being have UTC and right now I can list of the root but if I close the GNU to we'll see you choose on that dietary and I won't be able to see the you would just the new rules here and I have my to but I what I created for this presentation discourse each ruled that has the world the the present the techniques implemented and I'm going to show you the the 1st across a technique for but I have to you a specified directory what I want to use use case and if I push and the I've got what I've got better shot here and if I use the fruit again unless it can see I can I can access everything reason because I'm asking decision I left to that shown by accident this also I I'm back to the decision to the environment and I'm going to show you another technique for example that the the user made sockets which is the 2nd technique in the usage and I have to specify the directory that states we we have to do with the little bits is doing the Unix domain socket connection and that kind of stuff and astonishing how and as you can see I'm outside again so that was the extent of my presentation I have and I will be
open because the a stock that
I go to deceive usual director in the Jewish God as you can see that's the content of the if I use the rules as well this will be the same because I changed the rules uh I I'm going to be here by I B is 0 also I'm roots and and what I'm going to do is I just use this to a lower my UID I'm 18 and my GID his itself so in the other you know what going to go to the directory where might you the so I want you to go and use this leads to what I will it it's a basic program I use it for a cheap because I just want to demonstrate how it works for you and this distillate does nothing just writing all the you have a 2nd and see for 1 2nd so remember the process I fear and I'm going to use the procedure tool again I specify the surveillance technique creatures features for 64 bits processors and I have to specify the if the idea and I give port 1 2 3 4 portions and as you can see I'm connected to what happened here this
process stopped because I want us to that process which is outside of this is due to the environment in which is replaced the court with my shackled it's that bind chuckled I wrote it when I made this presentation for most goal for the PD is that the various and I realize there is no longer usable in the 64 64 bits b is the sharp cold in the Metasploit saliva what fun and I put it into the Metasploit so it's easy to spot now I have a few modules in the Metasploit by the way and this you can see it here I connected to to the child so as you can see I have my UID and GID reaches the and I can access the so that's something that the you moment right now and back to the presentation the results
in this field but it's really bad finding the quality of the which is good that's the good or bad you can decide where you can see green that's the 1st things that work in that the 1st so you can see that rebellion and communities in the 2nd you going to you and I are like a coherent epistasis working on if you like and I always wanted to show you this because under the more
viable lots of emotions OK I have a dragonfly is the a you can see it's 4 or 5 release version I go to the seeds will start at 3 and I call my 2 will be
defeats technique to specify the directory the directory and the student directory innovative and he conveyed great Bates and he got suspicious because think happens and the future of the
columns of the trouble of ideas that you can see it painting so there is a can opening here if you triggered this tool that you can drink together can happen again all 5 years the beach is already fixed because I told them and I tried to to use this slope but do you make it cannot exploit but it's pretty hard it's a new point that the difference you can find the trigger 5 my more on my top it's pretty leads but I cannot do anything that is so itself maybe you can do something with it selected presentation so
1 5 the the costs in the news domain circuits and amortization which results in denial of service that the PGA sister working properly on on previously and on open the reach was a big surprise for me the movement of seizures is looking 1 on open these gives style which is on the part of the surprise and also that was that's most of the 2 techniques are working this is a
comparison between the previous the jail and on the right side and see children the left side of the fence all used features the features cannot published you gotta processes outside of the jail OK so
we have 2 scenarios this in scenarios between them the talk yet but it on the I can go on to the end because you know it wasn't my fault thank so we have 2 distinct scenarios that had to shell access and the other the you had file system access and when the fastest access you can use the move out of the usually uh again because it's it's working technique because you only have to move directories and I'm not going to tell you about the 2 other points because I have to hurry up uh minutes containers are involved if you have a privilege containers but if you have provided container that you can create plastic containers in it and you can do you can use the mold all of cities looked at it again so I'm going to
show you the the mobile this kind so I go to the in
jewels the Ubuntu box I suspect are so we
are here is is the containers that are running on this the I guess the with what happened here all of the robots are not speaking so here we are the Phillies indeed content as you can see there is that exceed astronomy so I'm going to to you what the to in the host of
the operating system you can see the euro dietary and I are close to the and see all the Fontana and is the routes that you can see the galaxy although directories
and and there is 1 more convenient in the previous container you so I just creates an activity in 2015 Director in here in the root directory and from the ITC or I can access the director the 3 but
before I do that sort of effective so I just changed the current working directory to that directory on the on the nested container I go back to the previous container and then I go to do our lives Alexi and Alex you want because that's the name of the container root of fast and in the root directory there is detected 2 directors and I move that directory to to here which is the different on the Alex CSE and that's the if I do some new crops and I can access from the 61 there you would find real root file system so that's the if you have a provision previous continent overseas which is not the usual things in the Linux content as you shouldn't do that then it is possible to break out and
allows Europe which is the most important and a weird thing of so the scenario here we have
a mutual hosting company that hosts different that pages all of the user so have FTP or cones that can be edited on the left side of the hosting company and you can change the director of the authority users or and so we can just we can't just change somehow and as you can see this is the back and all that that page we have this usually because of this decision by the way the child from sort of have you these 1000 duality is the same and the batteries whom FTP seizure I'm going to open an FTP connection to the server the following is the content of that in those decisions to directly which has nothing in it I go back to the that page will better the back-end and change of attitude you home FTP Seagal seizure to I change it it should be there it is I will open another session to the FTP server with the same user it's that's impossible if I missed anything I don't see that as the values of the rule items in it and because the angles into the siege usually do that so I'm going to create the activity Dr. reduces to the text to directly and there is nothing in there if I use that can offer to the roots I won't see anything just activity because the area enclosed in that directly if there in the
1st session which is which is in close to 1 another directly by callous decision to mean that directly I can lose the activity directory of stop but if only in that directory to for the being which was a successful rename and I issue the other commands and I can fix year old good because the outside of that vector so that they can break out for example a hosting companies FTP server and you can even download the boss 5 because it's readable for everybody on her head so its
roots and where termitic 2015 OK that was my last demand this is the
new world my to discourse huge again you can download it it's open source it's on you hard but in the future I would like to do some more research on the topic if you have access to you as teach for example right so each view them please tell me if I can't as those and i've you add more more slides and King student to my and if you want to help me by giving me or common sort of try to tie all of these techniques on your books is then just knowledge and tell me or you want if you want to fix up cold than I'm OK with just found again so please if you would like to just you and I would like to say thank you for my girlfriend and my family for their support what I guess from them but for fear so that designers mentoring me and spend interest offers for reviewing my slides previously these other references for those for those who will involve my my slides from the activity that set of minus you up and thank you very much you have any questions now is the time that is my webpage ideas page and my teeth or if you like my presentation please please just follow
Bit
Momentenproblem
Versionsverwaltung
Twitter <Softwareplattform>
Kombinatorische Gruppentheorie
Kernel <Informatik>
Homepage
Physikalisches System
Systemprogrammierung
Mailing-Liste
Einheit <Mathematik>
Minimum
Passwort
Neunzehn
Hacker
Datenstruktur
Hacker
Auswahlaxiom
Digitales Zertifikat
Prozess <Informatik>
Freier Ladungsträger
Assembler
Vererbungshierarchie
Computersicherheit
BSD UNIX
Profil <Aerodynamik>
Web-Seite
Quick-Sort
Rechenschieber
Auswahlaxiom
Twitter <Softwareplattform>
Wurzel <Mathematik>
Debugging
Mereologie
Projektive Ebene
Versionsverwaltung
Bit
Subtraktion
Prozess <Physik>
Kontrollstruktur
Ablöseblase
Kombinatorische Gruppentheorie
Wiederherstellung <Informatik>
Systemprogrammierung
Physikalisches System
Mailing-Liste
Arithmetischer Ausdruck
Softwaretest
Netzbetriebssystem
Vorlesung/Konferenz
Indexberechnung
Wurzel <Mathematik>
Datenstruktur
Phasenumwandlung
Trennungsaxiom
Softwaretest
Prozess <Informatik>
Physikalischer Effekt
Kategorie <Mathematik>
Vererbungshierarchie
Systemaufruf
Routing
Strömungsrichtung
Schlussregel
Programmierumgebung
Physikalisches System
Quellcode
Partitionsfunktion
Algorithmische Programmiersprache
Ordnungsreduktion
Summengleichung
Wurzel <Mathematik>
Festspeicher
Mereologie
Hypermedia
Gamecontroller
Wiederherstellung <Informatik>
Ordnung <Mathematik>
Programmierumgebung
Verzeichnisdienst
Prozess <Physik>
Punkt
Freeware
Gruppenkeim
Kartesische Koordinaten
Maschinensprache
Homepage
Eins
Einheit <Mathematik>
Prozess <Informatik>
Mixed Reality
Dateiverwaltung
Skript <Programm>
Wurzel <Mathematik>
Serviceorientierte Architektur
Schießverfahren
Prozess <Informatik>
Computersicherheit
Reihe
Systemaufruf
Strömungsrichtung
Programmierumgebung
Quellcode
Kontextbezogenes System
Algorithmische Programmiersprache
Entscheidungstheorie
Dienst <Informatik>
Datenstruktur
Wurzel <Mathematik>
Rechter Winkel
Festspeicher
Server
Eindeutigkeit
Ordnung <Mathematik>
Programmierumgebung
Verzeichnisdienst
Mathematisierung
Web-Seite
Kombinatorische Gruppentheorie
Demoszene <Programmierung>
Mailing-Liste
Bildschirmmaske
Verzeichnisdienst
Datenstruktur
Grundraum
Elektronische Publikation
Schlussregel
Mailing-Liste
Routing
Physikalisches System
Elektronische Publikation
Binder <Informatik>
Maskierung <Informatik>
Nabel <Mathematik>
Quick-Sort
Wurzelsystem <Mathematik>
Innerer Punkt
Kernel <Informatik>
Bit
Prozess <Physik>
Kombinatorische Gruppentheorie
Gesetz <Physik>
Binärcode
Code
Raum-Zeit
Verzeichnisdienst
Einheit <Mathematik>
Code
Programmbibliothek
Vorlesung/Konferenz
Passwort
Wurzel <Mathematik>
Datenstruktur
Konfigurationsraum
Modul
Binärdaten
Sichtenkonzept
Systemaufruf
Gasströmung
Schlussregel
Strömungsrichtung
Routing
Mailing-Liste
Physikalisches System
Exploit
Kontextbezogenes System
Datenfluss
Modul
Konfiguration <Informatik>
Wurzel <Mathematik>
Rechter Winkel
Faltung <Mathematik>
Verzeichnisdienst
Programmierumgebung
Varietät <Mathematik>
Gewichtete Summe
Prozess <Physik>
Punkt
Momentenproblem
Versionsverwaltung
t-Test
Binärcode
Ähnlichkeitsgeometrie
Internetworking
Richtung
Einheit <Mathematik>
Dateiverwaltung
Wurzel <Mathematik>
Schnittstelle
Softwaretest
Internetworking
Schnelltaste
Schießverfahren
Datennetz
Systemaufruf
Strömungsrichtung
Ähnlichkeitsgeometrie
Forcing
Wurzel <Mathematik>
Geschlecht <Mathematik>
Rechter Winkel
Information
Verzeichnisdienst
Programmierumgebung
Beweistheorie
Subtraktion
Zahlenbereich
Geräusch
Kombinatorische Gruppentheorie
Physikalisches System
Domain-Name
Verzeichnisdienst
Hauptidealring
Perspektive
Endogene Variable
Socket-Schnittstelle
Datenstruktur
Speicher <Informatik>
Digitales Zertifikat
Elektronische Publikation
Protokoll <Datenverarbeitungssystem>
Booten
Vererbungshierarchie
Schlussregel
Physikalisches System
Paarvergleich
Elektronische Publikation
Partitionsfunktion
Fokalpunkt
Mereologie
Prozess <Physik>
Prozess <Informatik>
Diskretes System
Mathematisierung
Schlussregel
Strömungsrichtung
Physikalisches System
Kombinatorische Gruppentheorie
Kontextbezogenes System
Frequenz
Nabel <Mathematik>
Code
Entscheidungstheorie
Physikalisches System
Dienst <Informatik>
Arithmetischer Ausdruck
Wurzel <Mathematik>
Code
Codierung
Server
Vererbungshierarchie
Beamer
Verzeichnisdienst
Demo <Programm>
Einfach zusammenhängender Raum
Softwaretest
Bit
Schlussregel
Kombinatorische Gruppentheorie
Socket-Schnittstelle
Entscheidungstheorie
Domain-Name
Vorlesung/Konferenz
Socket
Maßerweiterung
Programmierumgebung
Verzeichnisdienst
Resultante
Schnelltaste
Bit
Prozess <Physik>
Momentenproblem
Schlussregel
Kombinatorische Gruppentheorie
Modul
Algorithmische Programmiersprache
Grundsätze ordnungsmäßiger Datenverarbeitung
Vorlesung/Konferenz
Coprozessor
Inhalt <Mathematik>
Optimierung
Verzeichnisdienst
Programmierumgebung
Datenfeld
Versionsverwaltung
Subtraktion
Punkt
t-Test
Vorlesung/Konferenz
Kombinatorische Gruppentheorie
Verzeichnisdienst
DoS-Attacke
Resultante
Domain-Name
Rechter Winkel
Digitaltechnik
Mereologie
Paarvergleich
Physikalisches System
Elektronische Publikation
Punkt
Namensraum
Dateisystem
Dateiverwaltung
Vorlesung/Konferenz
Programmierumgebung
Verzeichnisdienst
Nabel <Mathematik>
Demo <Programm>
Quader
Wurzel <Mathematik>
Vorlesung/Konferenz
Roboter
Netzbetriebssystem
Routing
Wurzel <Mathematik>
Verzeichnisdienst
Soundverarbeitung
Reelle Zahl
Dateiverwaltung
Strömungsrichtung
Inhalt <Mathematik>
Wurzel <Mathematik>
Verzeichnisdienst
Einfach zusammenhängender Raum
Autorisierung
Filetransferprotokoll
Winkel
Güte der Anpassung
Mathematisierung
Abgeschlossene Menge
Schlussregel
Euler-Winkel
Quick-Sort
Entscheidungstheorie
Homepage
Flächeninhalt
Benutzerschnittstellenverwaltungssystem
Server
Dualitätstheorie
Wurzel <Mathematik>
Inhalt <Mathematik>
Verzeichnisdienst
Schreib-Lese-Kopf
Drucksondierung
Rechenschieber
Systemprogrammierung
Softwaretest
Sichtenkonzept
Rechter Winkel
Open Source
t-Test
Familie <Mathematik>
Trägheitsmoment
Wurzel <Mathematik>
Web-Seite
Quick-Sort
Homepage

Metadaten

Formale Metadaten

Titel Chw00t: Breaking Unices' chroot solutions
Serientitel Hacktivity 2015
Teil 05
Anzahl der Teile 29
Autor Bucsay, Balázs
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18833
Herausgeber Hacktivity
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Chroot is not a security solution, still lots of people use it as it was one. Based on chroot, Jail was introduced in FreeBSD, Containers — in Solaris, and LXC — on Linux. However, Unices implemented chroot in different ways. Some of the implementations are easy to break, some of them are just partly breakable but one thing is sure: you would be surprised how many. The presentation focuses on escape techniques and the tool called chw00t, a small handy one that makes it easy to pop shells out of the chroot environment.

Zugehöriges Material

Ähnliche Filme

Loading...