From: Jose Nazario [jose@monkey.org]
Sent: Wednesday, May 22, 2002 1:51 PM
To: vuln-dev@securityfocus.com
Subject: Re: OT? Are chroots immune to buffer overflows?

chroot() and jail() cells are not perfect. while you have reduced the
number of moving parts, parts vulnerable to buffer overflows, you are
still going to have some code that is quite possibly exploitable, via an
{buffer|stack|heap} overflow, a format string exploit, configuration
issue, what have you. accept this as fact. it is, after all, why you put
the code in the restricted environment, to minimize the damage that will
come when it is abused.

getting out of such an environment is well documented. here are some great
pages on the subject:

	http://www.bpfh.net/simes/computing/chroot-break.html
	http://lists.jammed.com/pen-test/2001/07/0134.html
	http://www.linuxsecurity.com/feature_stories/feature_story-99.html
	http://www.linuxgazette.com/issue30/tag_chroot.html
	http://archives.neohapsis.com/archives/nfr-wizards/1997/11/0091.html
	http://lsd-pl.net/papers.html

search packetstormsecurity.org, etc ... its not perfect, but well done its
a severe impediment to abusing the system outright.

___________________________
jose nazario, ph.d.			jose@monkey.org
					http://www.monkey.org/~jose/