Vulnerability Development: Re: OT? Are chroots immune to buffer overflows?

[Berend De Schouwer <bds () jhb ucs co za>]

On Wed, 2002-05-22 at 05:48, Jason Haar wrote:
> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
>
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> so they fail.
I've had someone try /usr/X11R6/bin/xterm!  (no, there wasn't an xterm
either :)
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?
Yes -- just append a binary /bin/sh to the end of the buffer overflow,
and run that instead of exec("/bin/sh").  Try with a statically linked
one first.
> -- 
> Cheers
>
> Jason Haar
>
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
-- 
Berend De Schouwer