Re: OT? Are chroots immune to buffer overflows?

From: Berend De Schouwer (bdsat_private)
Date: Wed May 22 2002 - 00:03:53 PDT

Next message: dev-null@no-id.com: "Re: OT? Are chroots immune to buffer overflows?"

Previous message: Edwin Groothuis: "Re: OT? Are chroots immune to buffer overflows?"
In reply to: Jason Haar: "OT? Are chroots immune to buffer overflows?"
Next in thread: dev-null@no-id.com: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2002-05-22 at 05:48, Jason Haar wrote:
> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
> 
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> so they fail.

I've had someone try /usr/X11R6/bin/xterm!  (no, there wasn't an xterm
either :)
> 
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?

Yes -- just append a binary /bin/sh to the end of the buffer overflow,
and run that instead of exec("/bin/sh").  Try with a statically linked
one first.
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
-- 
Berend De Schouwer

Next message: dev-null@no-id.com: "Re: OT? Are chroots immune to buffer overflows?"
Previous message: Edwin Groothuis: "Re: OT? Are chroots immune to buffer overflows?"
In reply to: Jason Haar: "OT? Are chroots immune to buffer overflows?"
Next in thread: dev-null@no-id.com: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 22 2002 - 10:43:05 PDT