----- Original Message ----- From: SpaceWalker <core.lists.exploit-dev@core-sdi.com> To: <vuln-devat_private> Sent: Wednesday, May 22, 2002 8:02 AM Subject: Re: OT? Are chroots immune to buffer overflows? > Hi, your question is interresting, I've a good response for you > I'm speeking on the linux kernel, on a X86 box, but could be usable in most archs. > The chroot limitations breaks you only the accesses to the local filesystem. In most cases, you don't have an access to /proc ,/dev/*, nor to /bin/sh. > But If you are able to run code as root, a few syscalls are still available to you : > inserting modules and ptrace(). > Both can be used to own the entire system, I coded two weeks ago a shellcode which uses ptrace to get out of the chroot, tracing his ppid (usualy inetd in the case of a chrooted ftp server), inserting a shellcode and leaving. or .. do man 2 chroot under linux and read: NAME chroot - change root directory (...) DESCRIPTION (...) Only the super-user may change the root directory. Note that this call does not change the current working directory, so that `.' can be outside the tree rooted at `/'. In particular, the super-user can escape from a `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ aazubelat_private --- for a personal reply use: "aazubel" <aazubelat_private>
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 21:15:05 PDT