Vigil@nce - libcap: chroot jail escaping of capsh
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
The capsh program does not correctly create his chroot jail, so an
attacker inside this jail can escape.
Severity: 1/4
Creation date: 02/11/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libcap library implements the support of Linux Capabilities.
This library provides the capsh program, which is used to start a
shell with restricted capabilities.
However, after creating the chroot jail, capsh does not change its
current directory. So, instead of having a current directory
inside the jail, it is still outside. The program which is run
inside the jail can thus access to files located outside the jail.
The capsh program therefore does not correctly create his chroot
jail, so an attacker inside this jail can escape, in order to
access to external files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libcap-chroot-jail-escaping-of-capsh-11117