Closed bool101 closed 9 years ago
If the chroot
is done between __libc_start_main
and main
, so that we don't have to worry about all this.
This can be done either with LD_PRELOAD
or a custom libc.so.6
in LD_LIBRARY_PATH
.
Why not both?
We can't emulate anything from /dev
or /proc
inside of a chroot without root
, even with CLONE_NEWUSER
. The best we could do is to copy the required libs (e.g. from ldd binary
) into the chroot.
Correct. Your idea here https://github.com/samuraictf/tracker/issues/55#issuecomment-86306576 is a good one. We should probably open /dev/urandom on a static fd as well. Also, we can build a /bin environment with a shell that feeds back incorrect keys.
we can build a /bin environment with a shell that feeds back incorrect keys
Easier to just stick a fake (or valid, but out-of-date) flag in the "correct" location.
This is pretty easy with a bash script. Example in readme.md that will generated the chroot for /bin/bash and /bin/ls. If we have the disk space we should consider mirroring the whole box in the chroot (including old flags) to help delay detection of this technique.
Creating a duplicate of the filesystem -- as best we can -- will be hard for permissions reasons (we can't make our fake /bin
owned by root
) and for mount-related reasons (no /dev/
, /proc
, /sys
). While we can spend time building a facade of "it's the real thing!" it won't hold up to much inspection. I'd vote just to have a busybox
environment and mirror a few things -- like the layout of the user folders and locations of the flags.
One of the options in gatekeeper is to chroot a target binary. To do this a chroot environment must first be build. This typically contains things like the /dev and /proc environments along with some utilities from /bin /lib etc. We need a script to automatically generate as much of this as possible. Probably already exists somewhere?