On Wed, 2002-05-22 at 05:48, Jason Haar wrote:
> [note: my question is WRT non-root chrooted jails - we all know about
> chroot'ing root processes!]
>
> Most buffer overflows I've seen attempt to infiltrate the system enough to
> run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
> so they fail.

I've had someone try /usr/X11R6/bin/xterm! (no, there wasn't an xterm
either :)
>
> Is it as simple as that? As 99.999% of the system binaries aren't available
> in the jail, can a buffer overflow ever work?

Yes -- just append a binary /bin/sh to the end of the buffer overflow,
and run that instead of exec("/bin/sh"). Try with a statically linked
one first.
>
> --
> Cheers
>
> Jason Haar
>
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417

-- 
Berend De Schouwer

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]