Re: OT? Are chroots immune to buffer overflows?

From: Valdis.Kletnieksat_private
Date: Wed May 22 2002 - 06:32:17 PDT

Next message: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"

Previous message: Ryan Verner: "Re: Online Games Consoles and Security Implications"
In reply to: Jason Haar: "OT? Are chroots immune to buffer overflows?"
Next in thread: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 22 May 2002 15:48:16 +1200, Jason Haar <Jason.Haarat_private>  said:

> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?

Instead of buffer-overflowing to go to some code that basically does an
execve("/bin/sh"),  you buffer-overflow to some code that does this:

	f1 = open("/some/writable/in/jail");
        f2 = /* get a reference to binary code here */
        while (read(f2)) {write(f1)}
        fchmod(f1,0755);
        execve("/some/writeable/in/jail");

Now of course, this is getting a bit bigger, and you'd probably have to do
some bootstrapping - but we've seen even a one-byte overflow leveraged into
a full exploit. ;)

Remember - once you manage to redirect the program counter to code that
you control, you can hang the Game Over sign up, as at that point, you can
do anything the process has the right to do.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

application/pgp-signature attachment: stored

Next message: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"
Previous message: Ryan Verner: "Re: Online Games Consoles and Security Implications"
In reply to: Jason Haar: "OT? Are chroots immune to buffer overflows?"
Next in thread: Kalle Andersson: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 22 2002 - 10:15:05 PDT