Re: OT? Are chroots immune to buffer overflows?

From: jove@gaza.halo.nu
Date: 05/22/02

• Previous message: Adam Lydick: "Re: OT? Are chroots immune to buffer overflows?"
• In reply to: Andreas Ferber: "Re: OT? Are chroots immune to buffer overflows?"
• Next in thread: Stuart Adamson: "RE: OT? Are chroots immune to buffer overflows?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 22 May 2002 09:21:15 -0500 (CDT)
From: <jove@gaza.halo.nu>
To: Andreas Ferber <aferber@techfak.uni-bielefeld.de>

There has also been shellcode which will listen on a port, and accept data
which it will then execute as shell code thus nullifying the need to have
more buffer space then what is neccessary to execve /bin/sh.

Cheers,
-Jove

On Wed, 22 May 2002, Andreas Ferber wrote:

> On Wed, May 22, 2002 at 03:48:16PM +1200, Jason Haar wrote:
> >
> > Most buffer overflows I've seen attempt to infiltrate the system enough to
> > run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> > so they fail.
> >
> > Is it as simple as that? As 99.999% of the system binaries aren't available
> > in the jail, can a buffer overflow ever work?
>
> The buffer overflow still works as expected (the bug is in the daemon,
> not in /bin/sh), though the shellcode used in most precooked exploits
> doesn't work. If the buffer is large enough so that the attacker can
> place more code than just an exec("/bin/sh") into it, he can still do
> all nasty things inside the bounds of the jail (e.g. uploading his own
> shell and executing that one ;-)
>
> Andreas
> --
> Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
> ---------------------------------------------------------
> +49 521 1365800 - af@devcon.net - www.devcon.net
>

---

• Previous message: Adam Lydick: "Re: OT? Are chroots immune to buffer overflows?"
• In reply to: Andreas Ferber: "Re: OT? Are chroots immune to buffer overflows?"
• Next in thread: Stuart Adamson: "RE: OT? Are chroots immune to buffer overflows?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues) ... Multiple buffer overflow and denial of service vulnerabilities exist ... DBMS_REPCAT_INSTANTIATE package ... To reproduce the overflow, execute the next PL/SQL: ... Oracle database user can exploit this vulnerability. ... (Securiteam) Switch Off Multiple Vulnerabilities ... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ... (Bugtraq) [VulnWatch] Switch Off Multiple Vulnerabilities ... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ... (VulnWatch) Re: SEPKILL /im SMC.EXE /f ... ::Save the following as a batch file and execute it. ... As I have said at bugtrax as well, I am not sure if the buffer overflow has happened or averted but its all very interesting. ... can't reproduce on my test systems or requires administrator privileges ... (Bugtraq) Re: [2.7 "thoughts"] V0.3 ... binary was executed (even through a buffer overflow), ... >> execute backdoor binaries because they would not be signed with a trusted ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-05