Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: Luciano Miguel Ferreira Rocha <strange () nsk no-ip org>
Date: Wed, 22 May 2002 18:24:05 +0100
On Wed, May 22, 2002 at 01:02:56PM +0200, SpaceWalker wrote:

But If you are able to run code as root, a few syscalls are still available to you :
inserting modules and ptrace().


If you're able to run code as root, all you need, in most Un*x systems,
is:
mkdir("blah");
chroot("blah");
chdir("../../../../../../");
chroot(".");
execl("/bin/bash", "bash", NULL);

On others Un*x systems, like some BSDs, an implicit chdir(".") is always
made after a chroot, so this doesn't work, but you can still do mknod(2),
mount(2), etc..

The point is if the chrooted program runs as root, almost anything can be
done.

If it doesn't, an attacker can only play with inherited file descriptors,
kill(2) and ptrace(2) to processes belonging to the same user, and
meddling with the accessible filesystem for private records or to aid in
an intrusion.

Regards

-- 
Luciano Rocha, strange () nsk yi org
Previous By Date Next
Previous By Thread Next

Current thread: