SFTP chroot: Writable root

[halfdog]

Hello list,

I created a page to demonstrate, what would happen when chroot
root directory is writeable. In fact, code execution is possible
already, when only /etc and /bin are writable. I also tried to
escape the chroot jail, but that did not work for non-root users.

As the 2009 CVE activities mention, that creating hardlinks
from outside gives trivial chroot, I showed that any cooperating
access from the outside - no matter if it is the same user or
another one - leads to root privilege escalation, even without
hardlinks, just using the default behaviour of any shared linked
SUID binary.

hd

[0] https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/