Vulnerability Development mailing list archives
Re: OT? Are chroots immune to buffer overflows?
From: SpaceWalker <spacewalker () altern org>
Date: Wed, 22 May 2002 13:02:56 +0200
Hi, your question is interresting, I've a good response for you I'm speeking on the linux kernel, on a X86 box, but could be usable in most archs. The chroot limitations breaks you only the accesses to the local filesystem. In most cases, you don't have an access to /proc ,/dev/*, nor to /bin/sh. But If you are able to run code as root, a few syscalls are still available to you : inserting modules and ptrace(). Both can be used to own the entire system, I coded two weeks ago a shellcode which uses ptrace to get out of the chroot, tracing his ppid (usualy inetd in the case of a chrooted ftp server), inserting a shellcode and leaving. The case of inserting modules is more complex. You have to do a lkm who breaks the chroot only for your own process, and of course you must insmod it. It used to have a wuftpd exploit who did compile staticaly insmod, compiled a such lkm and uploaded them on the remote ftp. Of course, lkm support have to be enabled. I think I responded to your question .. On Wed, 22 May 2002 15:48:16 +1200 Jason Haar <Jason.Haar () trimble co nz> wrote:
[note: my question is WRT non-root chrooted jails - we all know about chroot'ing root processes!] Most buffer overflows I've seen attempt to infiltrate the system enough to run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist - so they fail. Is it as simple as that? As 99.999% of the system binaries aren't available in the jail, can a buffer overflow ever work? -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417
Current thread:
- OT? Are chroots immune to buffer overflows? Jason Haar (May 21)
- Re: OT? Are chroots immune to buffer overflows? SpaceWalker (May 22)
- Re: OT? Are chroots immune to buffer overflows? Luciano Miguel Ferreira Rocha (May 23)
- Re: OT? Are chroots immune to buffer overflows? Nelson Sampaio Araujo Junior (May 24)
- Re: OT? Are chroots immune to buffer overflows? aazubel (May 23)
- Re: OT? Are chroots immune to buffer overflows? Luciano Miguel Ferreira Rocha (May 23)
- Re: OT? Are chroots immune to buffer overflows? Valdis . Kletnieks (May 22)
- Re: OT? Are chroots immune to buffer overflows? Kalle Andersson (May 22)
- Re: OT? Are chroots immune to buffer overflows? KF (May 23)
- Re: OT? Are chroots immune to buffer overflows? Edwin Groothuis (May 22)
- Re: OT? Are chroots immune to buffer overflows? Jose Nazario (May 23)
- Re: OT? Are chroots immune to buffer overflows? Kurt Seifried (May 23)
- Re: OT? Are chroots immune to buffer overflows? Berend De Schouwer (May 22)
(Thread continues...)
- Re: OT? Are chroots immune to buffer overflows? SpaceWalker (May 22)