Re: OT? Are chroots immune to buffer overflows?

[Valdis.Kletnieks () vt edu]

On Wed, 22 May 2002 15:48:16 +1200, Jason Haar <Jason.Haar () trimble co nz>  said:

> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?

Instead of buffer-overflowing to go to some code that basically does an
execve("/bin/sh"),  you buffer-overflow to some code that does this:

        f1 = open("/some/writable/in/jail");
        f2 = /* get a reference to binary code here */
        while (read(f2)) {write(f1)}
        fchmod(f1,0755);
        execve("/some/writeable/in/jail");

Now of course, this is getting a bit bigger, and you'd probably have to do
some bootstrapping - but we've seen even a one-byte overflow leveraged into
a full exploit. ;)

Remember - once you manage to redirect the program counter to code that
you control, you can hang the Game Over sign up, as at that point, you can
do anything the process has the right to do.
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: