kern/129499: IPv6 sockets break jail

Thorsten Schroeder ths-fbsdpr at
Mon Dec 8 06:00:08 PST 2008

>Number:         129499
>Category:       kern
>Synopsis:       IPv6 sockets break jail
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 08 14:00:07 UTC 2008
>Originator:     Thorsten Schroeder
>Release:        RELENG_7
FreeBSD 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #2: Mon Dec  8 10:50:17 CET 2008     root at  i386
A listening udp6 or tcp6 network socket, openend from within a jail
environment also binds to * on the host environment. This happens even
if no inet6 address is assigned to a real network interface. The loopback lo0
network interface has an inet6 address assigned by default, so the behaviour
can be easily reproduced by connecting to the localhost using an ipv6 client
on the host environment.

To reproduce this issue, just enable the sshd using default configuration
within the jail environment.  The sshd will also bind to tcp6/*.22 on the 
host environment (if no other service is bound to tcp6/*.22 or the service on
host environment is restartet afterwards).  

sockstat on the host system:
root     sshd       45219 4  tcp6   *:22                  *:*

jail #2 process on the host system:
# pgrep -lfj 2
45219 /usr/sbin/sshd

connecting to localhost from the host environment using ssh will end up being
connected to the jail, not to the host environment:

OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to [] port 22.
debug1: connect to address port 22: Connection refused
debug1: Connecting to [::1] port 22.
debug1: Connection established.
-> connected and authenticated in jail environment.

The same for syslogd without syslogd_flags="-4" (default)


An attacker or malicious jail user is able to high-jack inet6 services of
the host environment. Network clients such as netcat or ssh are ipv6-capable
and try to connect using ipv6 first or as fallback, if the ipv4 service is not
available. If an ipv6 capable network service is started from within the jail
_before_ the same socket is opened for listening on the host environment, a 
network client will connect to the inet6 network socket of the jail
environment, even if the ipv6 address/hostname of the host environment is used.

Reproduce this issue by using netcat:

In the jail environment:
# echo AAAA | nc -v -6 -l 6666

 -- / --

In the host environment:
# sockstat | grep 6666
root     nc         45327 3  tcp6   *:6666                *:*
# nc -v -6 localhost 6666
Connection to localhost 6666 port [tcp/*] succeeded!



More information about the freebsd-bugs mailing list