|
Vulnerability Development
mailing list archives
Re: OT? Are chroots immune to buffer overflows?
From: aazubel <core.lists.exploit-dev () core-sdi com>
Date: Wed, 22 May 2002 16:01:50 -0300
----- Original Message -----
From: SpaceWalker <core.lists.exploit-dev () core-sdi com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, May 22, 2002 8:02 AM
Subject: Re: OT? Are chroots immune to buffer overflows?
Hi, your question is interresting, I've a good response for you
I'm speeking on the linux kernel, on a X86 box, but could be usable in
most archs.
The chroot limitations breaks you only the accesses to the local
filesystem. In most cases, you don't have an access to /proc ,/dev/*, nor to
/bin/sh.
But If you are able to run code as root, a few syscalls are still
available to you :
inserting modules and ptrace().
Both can be used to own the entire system, I coded two weeks ago a
shellcode which uses ptrace to get out of the chroot, tracing his ppid
(usualy inetd in the case of a chrooted ftp server), inserting a shellcode
and leaving.
or .. do man 2 chroot under linux and read:
NAME
chroot - change root directory
(...)
DESCRIPTION
(...)
Only the super-user may change the root directory.
Note that this call does not change the current working
directory, so that `.' can be outside the tree rooted at
`/'. In particular, the super-user can escape from a
`chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
aazubel () corest com
--- for a personal reply use: "aazubel" <aazubel () corest com>
 By Date 
By Thread
Current thread:
| 
Intro
