Solaris Zones is a technology used to virtualize operating system services and provide an isolated environment for running applications. A zone is a virtualized operating system environment created within a single instance of the Solaris Operating System. When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation should prevent processes that are running in one zone from monitoring or affecting processes that are running in other zones. Even a process running with superuser credentials shouldn’t be able to view or affect activity in other zones.
There are two different kinds of zones: global and non-global. The global zone represents the conventional Solaris execution environment and is the only zone from which non-global zones can be configured and installed. By default, non-global zones cannot access the global zone or other non-global zones. All zones have a security boundary around them and are confined to their own subtree of the filesystem hierarchy. Every zone has its own root directory, has separate processes and devices, and operates with fewer privileges than the global zone.
Sun and Oracle were very confident about the security of their Zones technology when they rolled it out:
The platform that I used throughout this section was the default installation of Solaris 10 10/08 x86/x64 DVD Full Image (sol-10-u6-ga1-x86-dvd.iso), which is called Solaris 10 Generic_137138-09.
Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones.
Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole. . .[112]
Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available within a zone, use the
pprivutility.[113]
Solaris Zones is great, but there is one weak point: All zones (global and non-global) share the same kernel. If there is a bug in the kernel that allows arbitrary code execution, it’s possible to cross all security boundaries, escape from a non-global zone, and compromise other non-global zones or even the global zone. To demonstrate this, I recorded a video that shows the exploit for the vulnerability described in Chapter 3 in action. The exploit allows an unprivileged user to escape from a non-global zone and then compromise all other zones, including the global zone. You can find the video on this book’s website.[114]
To set up the Solaris Zone for Chapter 3, I did the following steps (all steps have to be performed as a privileged user in the global zone):
solaris#iduid=0(root) gid=0(root) solaris#zonenameglobal
The first thing I did was to create a filesystem area for the new zone to reside in:
solaris#mkdir /wwwzonesolaris#chmod 700 /wwwzonesolaris#ls -l / | grep wwwzonedrwx------ 2 root root 512 Aug 23 12:45 wwwzone
I then used zonecfg to create the new non-global zone:
solaris#zonecfg -z wwwzonewwwzone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:wwwzone>createzonecfg:wwwzone>set zonepath=/wwwzonezonecfg:wwwzone>set autoboot=truezonecfg:wwwzone>add netzonecfg:wwwzone:net>set address=192.168.10.250zonecfg:wwwzone:net>set defrouter=192.168.10.1zonecfg:wwwzone:net>set physical=e1000g0zonecfg:wwwzone:net>endzonecfg:wwwzone>verifyzonecfg:wwwzone>commitzonecfg:wwwzone>exit
After that, I checked the results of my actions with zoneadm:
solaris# zoneadm list -vc
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- wwwzone configured /wwwzone native sharedNext, I installed and booted the new non-global zone:
solaris#zoneadm -z wwwzone installPreparing to install zone <wwwzone>. Creating list of files to copy from the global zone. Copying <8135> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <1173> packages on the zone. Initialized <1173> packages on zone. Zone <wwwzone> is initialized. solaris#zoneadm -z wwwzone boot
To ensure that everything had gone okay, I pinged the IP address of the new non-global zone:
solaris# ping 192.168.10.250
192.168.10.250 is aliveTo log into the new non-global zone, I used the following command:
solaris# zlogin -C wwwzoneAfter answering the questions regarding language and terminal settings, I logged in as root and created a new unprivileged user:
solaris#iduid=0(root) gid=0(root) solaris#zonenamewwwzone solaris#mkdir /export/homesolaris#mkdir /export/home/wwwusersolaris#useradd -d /export/home/wwwuser wwwusersolaris#chown wwwuser /export/home/wwwusersolaris#passwd wwwuser
I then used this unprivileged user to exploit the Solaris kernel vulnerability described in Chapter 3.
[100] See Rob King, “New Leopard Security Features—Part I: ASLR,” DVLabs Tipping Point (blog), November 7, 2007, http://dvlabs.tippingpoint.com/blog/2007/11/07/leopard-aslr.
[101] See Tim Burrell, “GS Cookie Protection—Effectiveness and Limitations,” Microsoft TechNet Blogs: Security Research & Defense (blog), March 16, 2009, http://blogs.technet.com/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations.aspx; “Enhanced GS in Visual Studio 2010,” Microsoft TechNet Blogs: Security Research & Defense (blog), March 20, 2009, http://blogs.technet.com/srd/archive/2009/03/20/enhanced-gs-in-visual-studio-2010.aspx; IBM Research “GCC Extension for Protecting Applications from Stack-Smashing Attacks,” last updated August 22, 2005, http://researchweb.watson.ibm.com/trl/projects/security/ssp/.
[103] See the home page of the PaX team at http://pax.grsecurity.net/ as well as the grsecurity website at http://www.grsecurity.net/.
[104] See Robert Hensing, “Understanding DEP as a Mitigation Technology Part 1,” Microsoft TechNet Blogs: Security Research & Defense (blog), June 12, 2009, http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.
[106] For more information, see the Secunia study by Alin Rad Pop, “DEP/ASLR Implementation Progress in Popular Third-party Windows Applications,” 2010, http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf.
[107] To download BinScope Binary Analyzer, visit http://go.microsoft.com/?linkid=9678113.
[109] See TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, version 1.2, 1995, http://refspecs.freestandards.org/elf/elf.pdf.
[110] See note 9 above.
[111] See Chris Rohlf, “Self Protecting Global Offset Table (GOT),” draft version 1.4, August 2008, http://code.google.com/p/em386/downloads/detail?name=Self-Protecting-GOT.html.
[112] See “Introduction to Solaris Zones: Features Provided by Non-Global Zones,” System Administration Guide: Oracle Solaris Containers—Resource Management and Oracle Solaris Zones, 2010, http://download.oracle.com/docs/cd/E19455-01/817-1592/zones.intro-9/index.html.
[113] See “Solaris Zones Administration (Overview): Privileges in a Non-Global Zone,” System Administration Guide:Virtualization Using the Solaris Operating System, 2010, http://download.oracle.com/docs/cd/E19082-01/819-2450/z.admin.ov-18/index.html.