Re: OT? Are chroots immune to buffer overflows?

[Dave Ahmad <da () securityfocus com>]

Not really.  Shellcode may perform any userland operations as the process
under their control.  If '/bin/sh' doesn't exist, shellcode could
be written to do whatever 'sh' can, provided that there is enough room
for the required instructions.

A couple of ideas:

The attacker may write 'mini shell' shellcode, facilitating limited
interaction with the filesystem and the ability to execute
specific programs.

The attacker could write shellcode that downloads a complete shell from
somewhere else.

As for getting root and breaking out of chroot.. look to the kernel
(i386 LDT bug, ptrace/exec, etc) :)

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Wed, 22 May 2002, Jason Haar wrote:

> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
>
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> so they fail.
>
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?
>
> --
> Cheers
>
> Jason Haar
>
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417