Re: OT? Are chroots immune to buffer overflows?

From: KF (dotslash@snosoft.com)
Date: 05/22/02


Date: Wed, 22 May 2002 01:23:13 -0400
From: KF <dotslash@snosoft.com>
To: Kalle Andersson <kan@virus112.com>

I thought you just did something like the following in your shellcode...

setuid(0)
mkdir("blah")
chroot("blah")
chroot("../../../../../../../../../../../../")
execve("/bin/sh",0,0)

-KF

Kalle Andersson wrote:

>Of course can buffer overflows be done with success, but it will be
>much more difficult.
>
>Remember, if you are root inside a chroot-jail you are root on the
>machine. You can probably someway trick the server into downloading
>necessary code and files to remount the filesystems into the
>chroot-environment or make connections to other trusted servers etc
>etc....
>
>FreeBSD Jails are somewhat more secure, you might want to look into
>that.
>
>
>Jason Haar wrote:
>
>>[note: my question is WRT non-root chrooted jails - we all know about
>>chroot'ing root processes!]
>>
>>Most buffer overflows I've seen attempt to infiltrate the system enough to
>>run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
>>so they fail.
>>
>>Is it as simple as that? As 99.999% of the system binaries aren't available
>>in the jail, can a buffer overflow ever work?
>>
>>--
>>Cheers
>>
>>Jason Haar
>>
>>Information Security Manager
>>Trimble Navigation Ltd.
>>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>>
>
>--
>Best Regards
>Kalle Andersson
>Technical Manager / EuroTrust Sweden AB
>kan@virus112.com
>
>



Relevant Pages

  • Re: Debian Investigation Report after Server Compromises
    ... a DD's personal system or another remote system ... A proof-of-concept exploit (it crashes but doesn't root a system) has ... > provide bad data in those calls that will cause buffer overflows, ... See BugTraq for more info. ...
    (Debian-User)
  • Re: OT? Are chroots immune to buffer overflows?
    ... Of course can buffer overflows be done with success, ... if you are root inside a chroot-jail you are root on the ... As 99.999% of the system binaries aren't available ...
    (Vuln-Dev)