Vulnerability in sysjail enables escape from "system jail"
The developers of the sysjail security tool are currently advising against using it because of a bug which makes it possible to escape from the "jail". Sysjail migrates the jails concept known from FreeBSD onto other BSD derivatives which use the systrace library. Jails make it possible to block processes so that they can only access one part of the file system and are not allowed to use functions which might potentially be dangerous. Even if an attacker has achieved full control over a process in the jail, he is only able to inflict a small amount of damage since it should not be possible to escape from the jail even with root privileges. Among other things, the jail also intercepts system calls, checks the parameters relating to the transferred arguments and re-writes them if necessary.
The vulnerability is caused by run-time problems with system-call wrappers so that arguments such as IP addresses re-written by the wrapper can be changed again afterwards. The developers have positively identified bind and sysctl as candidates that can write back their arguments again after inspection and alteration. It is not yet known when an updated version of sysjail will be available.
The bug was discovered by Robert Watson of Cambridge University who has also published a precise analysis in which he mentions both the TIS wrapper Generic Software Wrappers Toolkit (GSWTK) and CerbNG as being vulnerable.
- Exploiting Concurrency Vulnerabilities in System Call Wrappers, bug report by Robert N. M. Watson