Re: OT? Are chroots immune to buffer overflows?

From: Dave Ahmad (da@securityfocus.com)
Date: 05/22/02 

Date: Wed, 22 May 2002 10:16:54 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: Jason Haar <Jason.Haar@trimble.co.nz>

Not really. Shellcode may perform any userland operations as the process
under their control. If '/bin/sh' doesn't exist, shellcode could
be written to do whatever 'sh' can, provided that there is enough room
for the required instructions.

A couple of ideas:

The attacker may write 'mini shell' shellcode, facilitating limited
interaction with the filesystem and the ability to execute
specific programs.

The attacker could write shellcode that downloads a complete shell from
somewhere else.

As for getting root and breaking out of chroot.. look to the kernel
(i386 LDT bug, ptrace/exec, etc) :)

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Wed, 22 May 2002, Jason Haar wrote:

> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
>
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> so they fail.
>
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?
>
> --
> Cheers
>
> Jason Haar
>
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>

Quantcast