search

google / nsjail

A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
https://nsjail.dev
Apache License 2.0
2.96k stars 275 forks source link

Not able to run a CTF binary #127

Open norey opened 5 years ago

norey commented 5 years ago

I'm running the following command for a CTF binary chal. chal is basically an echo server, so after the following, I connect to it with netcat and get the last two lines below. Anything sent is not returned. I'm very new to nsjail and I'm not sure how to troubleshoot the problem. The binary works fine without nsjail of course.

chal is 64bit and uses the normal socket functions (socket, listen, bind. connect, send, recv, write, read, etc..), system(), fork(), dlsym(), memset() and others. Nothing really out of the ordinary.

This is on Ubuntu Server 18.04 using commit a78019993fe7cffd9865300036133b8a54a23019.

$ nsjail -Ml --port 50085 --cwd /home/user/ctf_final/ --chroot /  -R /bin -R /lib -R /lib32 -R /lib64 --rw -- /home/user/ctf_final/chal
[I][2019-10-25T21:21:35-0500] Mode: LISTEN_TCP
[I][2019-10-25T21:21:35-0500] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/home/user/ctf_final/chal', bind:[::]:50085, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2019-10-25T21:21:35-0500] Mount: '/' -> '/' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/bin' -> '/bin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib32' -> '/lib32' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib64' -> '/lib64' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Uid map: inside_uid:1000 outside_uid:1000 count:1 newuidmap:false
[I][2019-10-25T21:21:35-0500] Gid map: inside_gid:1000 outside_gid:1000 count:1 newgidmap:false
[I][2019-10-25T21:21:35-0500] Listening on [::]:50085
[I][2019-10-25T21:21:39-0500] New connection from: [::ffff:192.168.131.1]:54972 on: [::ffff:192.168.131.150]:50085
[I][2019-10-25T21:21:39-0500] Executing '/home/user/ctf_final/chal' for '[::ffff:192.168.131.1]:54972'
disconnect3d commented 5 years ago

Hey,

chal is basically an echo server

and:

nsjail -Ml --port 50085

doesn't "stand well".

As it is described in the nsjail --help examples:

 Examples: 
 Wait on a port 31337 for connections, and run /bin/sh
  nsjail -Ml --port 31337 --chroot / -- /bin/sh -i

The -Ml --port ... makes nsjail host its own server and forward each connection to a newly created and sandboxed /bin/sh.

In other words, the -Ml --port ... can be used to "socketize and sandbox" a given binary or a ctf challenge. An example of that can be found at https://github.com/disconnect3d/reverse-me-python.

So you would have to use other option that -Ml but since nsjail spawns a new network namespace I am not sure if it allows you to sandbox a server-like binary out of the box.

EDIT: It probably allows to do so, since there are configs for e.g. apache: https://github.com/google/nsjail/blob/master/configs/apache.cfg but you probably have to specify the network interface somehow (see macvlan in apache config).

norey commented 5 years ago

I don't understand those settings and what they are used for.

 --macvlan_iface|-I VALUE
    Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'
 --macvlan_vs_ip VALUE
    IP of the 'vs' interface (e.g. "192.168.0.1")
 --macvlan_vs_nm VALUE
    Netmask of the 'vs' interface (e.g. "255.255.255.0")
 --macvlan_vs_gw VALUE
    Default GW for the 'vs' interface (e.g. "192.168.0.1")
 --macvlan_vs_ma VALUE
    MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")

I thought this was the interface that is supposed to be bound to the local one. So I used the local interface and got "Address already in use" errors so yeah.. I don't get it. And I'm not sure why this would make it work in the first place.

happyCoder92 commented 4 years ago

The easiest way to run unmodified binary is to add --disable_clone_newnet to nsjail commandline (beware: it will use host netns then, so it will be less isolated).