Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: KF <dotslash () snosoft com>
Date: Wed, 22 May 2002 01:23:13 -0400
I thought you just did something like the following in your shellcode...

setuid(0)
mkdir("blah")
chroot("blah")
chroot("../../../../../../../../../../../../")
execve("/bin/sh",0,0)

-KF

Kalle Andersson wrote:


Of course can buffer overflows  be done with success, but it will be
much more difficult.

Remember, if you are root inside a chroot-jail you are root on the
machine. You can probably someway trick the server into downloading
necessary code and files to remount the filesystems into the
chroot-environment or make connections to other trusted servers etc
etc....

FreeBSD Jails are somewhat more secure, you might want to look into
that.


Jason Haar wrote:


[note: my question is WRT non-root chrooted jails - we all know about
chroot'ing root processes!]

Most buffer overflows I've seen attempt to infiltrate the system enough to
run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
so they fail.

Is it as simple as that? As 99.999% of the system binaries aren't available
in the jail, can a buffer overflow ever work?

--
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417



--
Best Regards
Kalle Andersson
Technical Manager / EuroTrust Sweden AB
kan () virus112 com
Previous By Date Next
Previous By Thread Next

Current thread: