Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: sd <sd () cdi cz>
Date: Wed, 22 May 2002 09:36:55 +0200
hi,
On Wed, May 22, 2002 at 03:48:16PM +1200, Jason Haar wrote:

[note: my question is WRT non-root chrooted jails - we all know about
chroot'ing root processes!]

Most buffer overflows I've seen attempt to infiltrate the system enough to
run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
so they fail.


that depends on how much attacker is interested in target system :)
f.e.: one may write shellcode which just transfer static binary
of /bin/sh and execve() it. if your chroot contains some vulnerable
suid binary, it's question of seconds to get root caps and break it.
let the prisoner out ...

[note: i'm talking about linux chroot(), if you meant freelsd's jail(),
 then ignore this, jail() is about something little different)
 

Is it as simple as that? As 99.999% of the system binaries aren't available
in the jail, can a buffer overflow ever work?


under certain circumstates, it can.


-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417


-- 
_ __/|
\'X.X'   sd@ircnet
=(___)=  http://sd.g-art.nl
    U
Previous By Date Next
Previous By Thread Next

Current thread: