Fix/linux env/readlink #1

Sh3idan · 2019-12-24T22:19:43Z

Fix sandbox escape.

case 1

My architecture:

file_sb/
├── home
│   └── user
│       └── bin.elf
└── proc
    ├── 1000
    │   └── exe -> ../../home/user/bin.elf
    └── self -> 1000

FileSystem::resolve_path returns non-sandboxed path if path parameter is a symbolic link and follow_link is False. See below:

[syscalls][sys_x86_64_readlink][DEBUG]: sys_readlink('/proc/self/exe', 13f028, fff)
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> 'home/user/bin.elf'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

case 2

file_sb/
├── home
│   └── user
│       └── bin.elf
└── proc
    ├── 1000
    │   └── exe -> ../../../../home/user/bin.elf
    └── self -> 1000

Second case:

[syscalls][sys_generic_open][DEBUG]: sys_open('/proc/self/exe', 0, 0)
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=True)
[environment][resolve_path][DEBUG]: resolve_path(path='../../home/user/bin.elf', follow_link=True)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/../../home/user/bin.elf'
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/../../home/user/bin.elf'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

...

[syscalls][sys_x86_64_readlink][DEBUG]: sys_readlink('/proc/self/exe', 13f028, fff)
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '../../home/user/bin.elf'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

Current behavior

try to solve relative link targeting something in the sandbox

[environment][readlink][DEBUG]: readlink('/proc/self/exe')
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/proc/self/exe'
[environment][resolve_path][DEBUG]: resolve_path(path='/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf'
[environment][readlink][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> 4b

try to solve relative link targeting something out of sandbox

[environment][readlink][DEBUG]: readlink('/proc/self/exe')
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/proc/self/exe'
[environment][resolve_path][DEBUG]: resolve_path(path='/home/bla/[TRUNCATED]/bin.elf', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/bla/[TRUNCATED]/chal/home/user/bin.elf'
[environment][readlink][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/bla/[TRUNCATED]/chal/home/user/bin.elf'

try to solve absolute link targeting something in the sandbox

[environment][readlink][DEBUG]: readlink('/proc/self/exe')
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/proc/self/exe'
[environment][resolve_path][DEBUG]: resolve_path(path='/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf'
[environment][readlink][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/home/user/bin.elf'

try to solve absolute link targting something out of the sandbox

[syscalls][sys_generic_open][DEBUG]: sys_open('/proc/self/exe', 0, 0)
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=True)
[environment][readlink][DEBUG]: readlink('/home/bla/[TRUNCATED]/file_sb/proc/self/exe')
[environment][resolve_path][DEBUG]: resolve_path(path='/home/bla/[TRUNCATED]/file_sb/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/proc/self/exe'
[environment][resolve_path][DEBUG]: resolve_path(path='/tmp', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/tmp'
[environment][readlink][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/tmp'
[environment][resolve_path][DEBUG]: resolve_path(path='/home/bla/[TRUNCATED]/file_sb/tmp', follow_link=True)
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/tmp'
[environment][resolve_path][DEBUG]: -> '/home/bla/[TRUNCATED]/file_sb/tmp'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

…reading link

Sh3idan added 3 commits December 19, 2019 08:48

move assert before the return value

a9690a4

resolve_path only translate a path to a sandboxed path + readlink is …

e9768f0

…reading link

sys_x86_64_readlink: fix concatenation between str and bytes

025923d

Sh3idan merged commit 5f1bd0c into fix/linux_env/resolve_path Dec 24, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Fix/linux env/readlink #1

Fix/linux env/readlink #1

Uh oh!

Sh3idan commented Dec 24, 2019 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Fix/linux env/readlink #1

Fix/linux env/readlink #1

Uh oh!

Conversation

Sh3idan commented Dec 24, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

case 1

case 2

Current behavior

try to solve relative link targeting something in the sandbox

try to solve relative link targeting something out of sandbox

try to solve absolute link targeting something in the sandbox

try to solve absolute link targting something out of the sandbox

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Sh3idan commented Dec 24, 2019 •

edited

Loading