On Wed, 22 May 2002 15:48:16 +1200, Jason Haar <Jason.Haarat_private> said: > Is it as simple as that? As 99.999% of the system binaries aren't available > in the jail, can a buffer overflow ever work? Instead of buffer-overflowing to go to some code that basically does an execve("/bin/sh"), you buffer-overflow to some code that does this: f1 = open("/some/writable/in/jail"); f2 = /* get a reference to binary code here */ while (read(f2)) {write(f1)} fchmod(f1,0755); execve("/some/writeable/in/jail"); Now of course, this is getting a bit bigger, and you'd probably have to do some bootstrapping - but we've seen even a one-byte overflow leveraged into a full exploit. ;) Remember - once you manage to redirect the program counter to code that you control, you can hang the Game Over sign up, as at that point, you can do anything the process has the right to do. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed May 22 2002 - 10:15:05 PDT