Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: Jan Werner <xian () mat uni torun pl>
Date: Thu, 23 May 2002 19:36:12 +0200 (CEST)
On Wed, 22 May 2002, L. Walker wrote:


[note: my question is WRT non-root chrooted jails - we all know about
chroot'ing root processes!]

Most buffer overflows I've seen attempt to infiltrate the system enough to
run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
so they fail.

Is it as simple as that? As 99.999% of the system binaries aren't available
in the jail, can a buffer overflow ever work?


I've heard of shellcode that supposedly jumps out of the chroot jail, but
it's probably been fixed now (whatever bug in chroot the shellcode
exploited).  The buffer overflow would work (it'd overflow the buffer yes)
but as to whether you'd get a shell, probably not...  Unless someone
dropped a bash shell in there :)


There are ways to break out of chroot'ed environment:
1. If the chroot'ed program does not chdir("/") then there's way to escape 
from jail (see the taeho oh's advanced buffer overflow exploits  
http://online.securityfocus.com/library/1568
) 
2. If system does not provide any limitations for jail you can trace 
programs outside of jail send them signals use raw devices etc ...
Some limitations for linux (I remind that this OS appeared in thread ) can 
be implemented for example grsecurity kernel patch 
http://grsecurity.net/features.html 
or capsel linux kernel security module 
http://cliph.linux.pl

greetings 
xian
Previous By Date Next
Previous By Thread Next

Current thread: