CVE-2004-0125
CVSS7.2
发布时间 :2004-08-06 00:00:00
修订时间 :2008-09-05 16:37:36
NMCOPS    

[原文]The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table.


[CNNVD]FreeBSD jail()进程未授权路由表修改漏洞(CNNVD-200408-123)

        
        FreeBSD是一款免费开放源代码的UNIX操作系统。
        FreeBSD没有正确允许jail()环境中的超级用户进程修改路由表,远程攻击者可以利用这个漏洞破坏路由表,对网络服务进行攻击等。
        jail(2)系统调用允许系统管理员琐住进程并在限制的环境中运行,FreeBSD内核维护内部路由表来判断要传送数据的接口。这些路由表可以允许超级用户权限的用户进程通过在路由套接口上发送消息来更改。由于程序设计错误,在jail环境中的超级用户权限的进程可以发送路由表更改信息而操作路由表,可导致破坏服务器路由表,拒绝正常的网络服务,或执行其他的连接劫持,重定向攻击等。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.0:alpha
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.3:release

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0125
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0125
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-123
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10485
(VENDOR_ADVISORY)  BID  10485
http://xforce.iss.net/xforce/xfdb/16342
(VENDOR_ADVISORY)  XF  freebsd-jailed-table-modify(16342)
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:12.jailroute.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-04:12

- 漏洞信息

FreeBSD jail()进程未授权路由表修改漏洞
高危 访问验证错误
2004-08-06 00:00:00 2007-05-11 00:00:00
本地  
        
        FreeBSD是一款免费开放源代码的UNIX操作系统。
        FreeBSD没有正确允许jail()环境中的超级用户进程修改路由表,远程攻击者可以利用这个漏洞破坏路由表,对网络服务进行攻击等。
        jail(2)系统调用允许系统管理员琐住进程并在限制的环境中运行,FreeBSD内核维护内部路由表来判断要传送数据的接口。这些路由表可以允许超级用户权限的用户进程通过在路由套接口上发送消息来更改。由于程序设计错误,在jail环境中的超级用户权限的进程可以发送路由表更改信息而操作路由表,可导致破坏服务器路由表,拒绝正常的网络服务,或执行其他的连接劫持,重定向攻击等。
        

- 公告与补丁

        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-04:12)以及相应补丁:
        FreeBSD-SA-04:12:Jailed processes can manipulate host routing tables
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:12.jailroute.asc
        补丁下载:
        FreeBSD Patch jailroute.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch

- 漏洞信息 (F33504)

FreeBSD-SA-04-12.jailroute.asc (PacketStormID:F33504)
2004-06-09 00:00:00
Pawel Malachowski  freebsd.org
advisory,local
freebsd
CVE-2004-0125
[点击下载]

FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute - A programming error has allowed local users the ability to manipulate host routing tables if superuser privileges are achieved within jailed process.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-04:12.jailroute                                  Security Advisory
                                                          The FreeBSD Project

Topic:          Jailed processes can manipulate host routing tables

Category:       core
Module:         kernel
Announced:      2004-06-07
Credits:        Pawel Malachowski
Affects:        FreeBSD 4.8-RELEASE
                FreeBSD 4.9-RELEASE
Corrected:      2004-04-06 20:11:53 UTC (RELENG_4)
                2004-06-07 17:44:44 UTC (RELENG_4_9, 4.9-RELEASE-p10)
                2004-06-07 17:42:42 UTC (RELENG_4_8, 4.8-RELEASE-p23)
CVE Name:       CAN-2004-0125
FreeBSD only:   YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The jail(2) system call allows a system administrator to lock up a
process and all its descendants inside a closed environment with very
limited ability to affect the system outside that environment, even
for processes with superuser privileges.  It is an extension of, but
far more stringent than, the traditional Unix chroot(2) system call.

The FreeBSD kernel maintains internal routing tables for the purpose
of determining which interface should be used to transmit packets.
These routing tables can be manipulated by user processes running
with superuser privileges by sending messages over a routing socket.

II.  Problem Description

A programming error resulting in a failure to verify that an attempt
to manipulate routing tables originated from a non-jailed process.

III. Impact

Jailed processes running with superuser privileges could modify host
routing tables.  This could result in a variety of consequences including
packets being sent via an incorrect network interface and packets being
discarded entirely.

IV.  Workaround

No workaround is available.

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8
or RELENG_4_9 security branch dated after the correction date.

OR

2) Patch your present system:

The following patch has been verified to apply to the FreeBSD 4.8 and
4.9 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/net/rtsock.c                                          1.44.2.13
RELENG_4_9
  src/UPDATING                                             1.73.2.89.2.11
  src/sys/conf/newvers.sh                                  1.44.2.32.2.11
  src/sys/net/rtsock.c                                      1.44.2.11.4.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.26
  src/sys/conf/newvers.sh                                  1.44.2.29.2.24
  src/sys/net/rtsock.c                                      1.44.2.11.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAxNyTFdaIBMps37IRAkTtAJ9LL92gdrIr3drFL7+EzgIz3Tp3EQCgl3XM
FySjBz6+a74mtEX89hLRcBI=
=dWI/
-----END PGP SIGNATURE-----
    

- 漏洞信息

6756
FreeBSD Jailed Process Host Routing Table Manipulation
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may allow a malicious user to manipulate internal routing tables. FreeBSD fails to prevent jailed processes with superuser privileges to modifying host routing tables. It is possible that the flaw may allow a malicious user to cause packets to be discarded or sent to the wrong network interface resulting in a loss of confidentiality or integrity.

- 时间线

2004-06-08 Unknow
2004-06-08 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, FreeBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

FreeBSD jail() Process Unauthorized Routing Table Modification Vulnerability
Access Validation Error 10485
No Yes
2004-06-07 12:00:00 2009-07-12 05:16:00
Pawel Malachowski was credited for this vulnerability.

- 受影响的程序版本

FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.10-PRERELEASE
FreeBSD FreeBSD 4.10 -RELEASE

- 不受影响的程序版本

FreeBSD FreeBSD 4.10 -RELEASE

- 漏洞讨论

FreeBSD improperly allows routing updates from superuser processes inside jail() environments.

An attacker that gains superuser privileges inside of a jailed process can send routing table changes. An attacker could corrupt the routing table of the server, denying network services to legitimate users. Attackers may also be able to perform connection-hijacking and redirection attacks, such as the SSH man-in-the-middle attack.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

FreeBSD has released advisory FreeBSD-SA-04:12 addressing this issue. Please see the referenced advisory for further information on patches and fixes.


FreeBSD FreeBSD 4.10-PRERELEASE

FreeBSD FreeBSD 4.0

FreeBSD FreeBSD 4.0 .x

FreeBSD FreeBSD 4.0 -RELENG

FreeBSD FreeBSD 4.0 alpha

FreeBSD FreeBSD 4.1

FreeBSD FreeBSD 4.1.1 -RELEASE

FreeBSD FreeBSD 4.1.1 -STABLE

FreeBSD FreeBSD 4.1.1

FreeBSD FreeBSD 4.2

FreeBSD FreeBSD 4.2 -RELEASE

FreeBSD FreeBSD 4.2 -STABLEpre122300

FreeBSD FreeBSD 4.2 -STABLEpre050201

FreeBSD FreeBSD 4.2 -STABLE

FreeBSD FreeBSD 4.3 -RELEASE-p38

FreeBSD FreeBSD 4.3 -STABLE

FreeBSD FreeBSD 4.3

FreeBSD FreeBSD 4.3 -RELEASE

FreeBSD FreeBSD 4.3 -RELENG

FreeBSD FreeBSD 4.4

FreeBSD FreeBSD 4.4 -RELENG

FreeBSD FreeBSD 4.4 -STABLE

FreeBSD FreeBSD 4.4 -RELEASE-p42

FreeBSD FreeBSD 4.4 -RELENG

FreeBSD FreeBSD 4.5

FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07

FreeBSD FreeBSD 4.5 -STABLE

FreeBSD FreeBSD 4.5 -RELEASE-p32

FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.5 -RELENG

FreeBSD FreeBSD 4.6 -RELEASE

FreeBSD FreeBSD 4.6 -RELEASE-p20

FreeBSD FreeBSD 4.6 -STABLE

FreeBSD FreeBSD 4.6 -RELENG

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 4.6.2

FreeBSD FreeBSD 4.7 -RELEASE-p17

FreeBSD FreeBSD 4.7 -RELENG

FreeBSD FreeBSD 4.7 -RELEASE

FreeBSD FreeBSD 4.7

FreeBSD FreeBSD 4.7 -STABLE

FreeBSD FreeBSD 4.8 -RELENG

FreeBSD FreeBSD 4.8 -PRERELEASE

FreeBSD FreeBSD 4.8 -RELEASE-p7

FreeBSD FreeBSD 4.8

FreeBSD FreeBSD 4.9

FreeBSD FreeBSD 4.9 -RELENG

FreeBSD FreeBSD 4.9 -PRERELEASE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站