On Wed, 22 May 2002, L. Walker wrote:
> > [note: my question is WRT non-root chrooted jails - we all know about
> > chroot'ing root processes!]
> >
> > Most buffer overflows I've seen attempt to infiltrate the system enough to
> > run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> > so they fail.
> >
> > Is it as simple as that? As 99.999% of the system binaries aren't available
> > in the jail, can a buffer overflow ever work?
>
> I've heard of shellcode that supposedly jumps out of the chroot jail, but
> it's probably been fixed now (whatever bug in chroot the shellcode
> exploited). The buffer overflow would work (it'd overflow the buffer yes)
> but as to whether you'd get a shell, probably not... Unless someone
> dropped a bash shell in there :)
>
There are ways to break out of chroot'ed environment:
1. If the chroot'ed program does not chdir("/") then there's way to escape
from jail (see the taeho oh's advanced buffer overflow exploits
http://online.securityfocus.com/library/1568
)
2. If system does not provide any limitations for jail you can trace
programs outside of jail send them signals use raw devices etc ...
Some limitations for linux (I remind that this OS appeared in thread ) can
be implemented for example grsecurity kernel patch
http://grsecurity.net/features.html
or capsel linux kernel security module
http://cliph.linux.pl
greetings
xian
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 21:09:06 PDT