Re: OT? Are chroots immune to buffer overflows?

From: KF (dotslash@snosoft.com)
Date: 05/22/02

Previous message: jove@gaza.halo.nu: "Re: OT? Are chroots immune to buffer overflows?"
In reply to: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"
Next in thread: Edwin Groothuis: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 May 2002 01:23:13 -0400
From: KF <dotslash@snosoft.com>
To: Kalle Andersson <kan@virus112.com>

I thought you just did something like the following in your shellcode...

setuid(0)
mkdir("blah")
chroot("blah")
chroot("../../../../../../../../../../../../")
execve("/bin/sh",0,0)

-KF

Kalle Andersson wrote:

>Of course can buffer overflows be done with success, but it will be
>much more difficult.
>
>Remember, if you are root inside a chroot-jail you are root on the
>machine. You can probably someway trick the server into downloading
>necessary code and files to remount the filesystems into the
>chroot-environment or make connections to other trusted servers etc
>etc....
>
>FreeBSD Jails are somewhat more secure, you might want to look into
>that.
>
>
>Jason Haar wrote:
>
>>[note: my question is WRT non-root chrooted jails - we all know about
>>chroot'ing root processes!]
>>
>>Most buffer overflows I've seen attempt to infiltrate the system enough to
>>run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
>>so they fail.
>>
>>Is it as simple as that? As 99.999% of the system binaries aren't available
>>in the jail, can a buffer overflow ever work?
>>
>>--
>>Cheers
>>
>>Jason Haar
>>
>>Information Security Manager
>>Trimble Navigation Ltd.
>>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>>
>
>--
>Best Regards
>Kalle Andersson
>Technical Manager / EuroTrust Sweden AB
>kan@virus112.com
>
>

Previous message: jove@gaza.halo.nu: "Re: OT? Are chroots immune to buffer overflows?"
In reply to: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"
Next in thread: Edwin Groothuis: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: OT? Are chroots immune to buffer overflows?
... Of course can buffer overflows be done with success, ... if you are root inside a chroot-jail you are root on the ... As 99.999% of the system binaries aren't available ...
(Vuln-Dev)
Re: Debian Investigation Report after Server Compromises
... a DD's personal system or another remote system ... A proof-of-concept exploit (it crashes but doesn't root a system) has ... > provide bad data in those calls that will cause buffer overflows, ... See BugTraq for more info. ...
(Debian-User)