Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT? Are chroots immune to buffer overflows?

From: aazubel <core.lists.exploit-dev () core-sdi com>
Date: Wed, 22 May 2002 16:01:50 -0300

----- Original Message -----
From: SpaceWalker <core.lists.exploit-dev () core-sdi com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, May 22, 2002 8:02 AM
Subject: Re: OT? Are chroots immune to buffer overflows?



Hi, your question is interresting, I've a good response for you
I'm speeking on the linux kernel, on a X86 box, but could be usable in

most archs.

The chroot limitations breaks you only the accesses to the local

filesystem. In most cases, you don't have an access to /proc ,/dev/*, nor to
/bin/sh.

But If you are able to run code as root, a few syscalls are still

available to you :

inserting modules and ptrace().
Both can be used to own the entire system, I coded two weeks ago a

shellcode which uses ptrace to get out of the chroot, tracing his ppid
(usualy inetd in the case of a chrooted ftp server), inserting a shellcode
and leaving.


or .. do man 2 chroot under linux and read:

NAME
       chroot - change root directory
(...)
DESCRIPTION
(...)
       Only the super-user may change the root directory.

       Note that this call does not change  the  current  working
       directory,  so  that `.' can be outside the tree rooted at
       `/'.  In particular, the  super-user  can  escape  from  a
       `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

aazubel () corest com


--- for a personal reply use: "aazubel" <aazubel () corest com>
Previous By Date Next
Previous By Thread Next

Current thread: