OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Iván (core.lists.exploit-devcore-sdi.com)
Date: Wed May 22 2002 - 18:04:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I would say that chroot jails do not prevent exploitation
    of buffer overflow vulnerabilities AND they do not prevent
    the aftermath of such exploitation either.

    Once the attacker has the ability to run arbitrary code in the
    process space of the vulnerable program, the game is over.

    For example, a chroot jail does not prevent execution of
    systems calls from within the vulnerable program address
    space therefore the exploit code can easily break out of the chroot
    jail or call setuid(0) to regain root privileges or perform socket calls
    to proxy attacks to other hosts or download more complex
    exploitation code from the attackers box or a wide range of other
    interesting things.

    If you rely on chroot jails to mitigate the risk of exploitation of a
    vulnerable program you are wasting your time, it would be
    better to invest your time in making sure your program doesnt
    have holes in the first place.

    -ivan 

    ---

    "Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

    Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

    44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

    "Stuart Adamson" <stuart.adamsonevolution.net> wrote in message
news:9920848EF398D311BDC400508BF339F980A3D7ldnisp14.evolution.net...
> The buffer overflow still exists inside the chroot jail - but
> the jail attempts to limit the damage that can be done.  This offers
> defence against attacks that exploit other binaries to elevate priviledge,
> and as you said, these other binaries hopefully shouldn't be inside the
> chroot.
>
> However, if I want to use your box to attack another box then the lack
> of binaries won't stop me - I'll just make my exploit download my own
> and store then in /tmp (or /logs or something) in the chroot jail.
>
>
> Stuart
>
>
>
> > -----Original Message-----
> > From: Jason Haar [mailto:Jason.Haartrimble.co.nz]
> > Sent: 22 May 2002 04:48
> > To: vuln-devsecurityfocus.com
> > Subject: OT? Are chroots immune to buffer overflows?
> >
> >
> > [note: my question is WRT non-root chrooted jails - we all know about
> > chroot'ing root processes!]
> >
> > Most buffer overflows I've seen attempt to infiltrate the
> > system enough to
> > run /bin/sh. In chroot'ed environments, /bin/sh doesn't
> > (shouldn't!) exist -
> > so they fail.
> >
> > Is it as simple as that? As 99.999% of the system binaries
> > aren't available
> > in the jail, can a buffer overflow ever work?
> >
> > --
> > Cheers
> >
> > Jason Haar
> >
> > Information Security Manager
> > Trimble Navigation Ltd.
> > Phone: +64 3 9635 377 Fax: +64 3 9635 417
> >

    --- for a personal reply use: "Iván Arce" <iarcecore-sdi.com>