CVE-2004-1124
CVSS4.6
发布时间 :2004-01-14 00:00:00
修订时间 :2008-09-05 16:40:27
NMCOPS    

[原文]Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities.


[CNNVD]SCO UnixWare/OpenServer未明的CHRoot突围漏洞(CNNVD-200401-028)

        SCO UnixWare从 7.1.1到7.1.4版本中的chroot存在未知漏洞,本地用户可以摆脱chroot环境并进行未经许可的活动。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sco:unixware:7.1.1
cpe:/o:sco:openserver:5.0.6
cpe:/o:sco:openserver:5.0.7
cpe:/o:sco:unixware:7.1.4
cpe:/o:sco:unixware:7.1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1124
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1124
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-028
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18970
(VENDOR_ADVISORY)  XF  chroot-jail-security-bypass(18970)
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2/SCOSA-2005.2.txt
(VENDOR_ADVISORY)  SCO  SCOSA-2005.2
http://www.securityfocus.com/bid/12300
(UNKNOWN)  BID  12300
http://secunia.com/advisories/15339
(UNKNOWN)  SECUNIA  15339
http://secunia.com/advisories/13915
(UNKNOWN)  SECUNIA  13915
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22/SCOSA-2005.22.txt
(UNKNOWN)  SCO  SCOSA-2005.22

- 漏洞信息

SCO UnixWare/OpenServer未明的CHRoot突围漏洞
中危 设计错误
2004-01-14 00:00:00 2005-10-20 00:00:00
本地  
        SCO UnixWare从 7.1.1到7.1.4版本中的chroot存在未知漏洞,本地用户可以摆脱chroot环境并进行未经许可的活动。

- 公告与补丁

        The vendor has released an advisory (SCOSA-2005.2) and fixes to address this vulnerability for UnixWare.
        A fix for UnixWare 7.1.3 is included in UnixWare Release 7.1.3 Maintenance Pack 4 or later and a fix for UnixWare 7.1.1 is available in UnixWare Release 7.1.1 Maintenance Pack 5 or later
        The vendor has released an advisory (SCOSA-2005.22) and fixes to address this vulnerability for OpenServer.
        Customers are advised to see the referenced advisories for further information in regards to obtaining and applying appropriate fixes.
        SCO Open Server 5.0.6
        
        SCO Open Server 5.0.7
        
        SCO Unixware 7.1.4
        

- 漏洞信息 (F35811)

SCOSA-2005.2.txt (PacketStormID:F35811)
2005-01-19 00:00:00
 
advisory
CVE-2004-1124
[点击下载]

SCO Security Advisory - SCO has just come to terms with the fact that chroot jails can be broken out of.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison.
Advisory number: 	SCOSA-2005.2
Issue date: 		2005 January 14
Cross reference:	sr887824 fz528555 erg712509 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

	chroot() is a system call that is often used to provide an
	additional layer of security when untrusted programs are
	run. The call to chroot() is normally used to ensure that
	code run after it can only access files at or below a given
	directory. 

	Originally, chroot() was used to test systems software in 
	a safe environment. It is now generally used to lock users 
	into an area of the file system so that they can not look 
	at or affect the important parts of the system they are on. 
	
	Several programs use chroot jails to ensure that even if 
	you break into the process's address space, you can't do 
	anything harmful to the whole system. If chroot() can be 
	broken then this precaution is broken. 

	A known exploit can break a chroot prison.

	The Common Vulnerabilities and Exposures project 
	(cve.mitre.org) has assigned the name CAN-2004-1124 to t
	his issue.

	A new file system tunable, CHROOT_SECURITY is provided to
	protect against the known exploit for escaping from a chroot
	prison. The new tunable is described in /etc/conf/dtune.d/fs
	and defined in /etc/conf/mtune.d/fs. Protection is provided
	by the default value of 1 but traditional behavior may be
	obtained by resetting CHROOT_SECURITY to 0. 

	chroot() is a good way to increase the security of the
	software provided that secure programming guidelines are 
	utilized and chroot() system call limitations are taken 
	into account.  Chrooting will prevent an attacker from 
	reading files outside the chroot jail and will prevent 
	many local UNIX attacks (such as SUID abuse and /tmp 
	race conditions).

	The number of ways that root user can break out of chroot 
	is huge.  If there is no root user defined within the 
	chroot environment, no SUID binaries, no devices, and 
	the daemon itself dropped root privileges right after 
	calling chroot() call breaking out of chroot appears to 
	be impossible.

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.4 			/etc/conf/pack.d/namefs/Driver_atup.o
					/etc/conf/pack.d/namefs/Driver_mp.o
					/usr/include/sys/vfs.h

	UnixWare 7.1.3 			See Maintainance pack 4

	UnixWare 7.1.1 			See Maintainance pack 5
				

3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.4

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2

	4.2 Verification

	MD5 (erg712629c.pkg.Z) = 480ecc98f9c918a3b35082c1bef2aa44

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712629c.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712629c.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712629c.pkg


5. UnixWare 7.1.3

	5.1 Location of Fixed Binaries

	The fixes are available in SCO UnixWare Release 7.1.3
        Maintenance Pack 4 or later.  See

	ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.txt
	or
	ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.html

	5.2 Verification

	MD5 (uw713mp4.image) = 7eb9e20ed6a6d9ed1ab7335323bf25d1

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download uw713mp4.image to the /var/spool/pkg directory

	# pkgadd -d /var/spool/pkg/uw713mp4.image


6. UnixWare 7.1.1

	6.1 Location of Fixed Binaries

	The fixes are available in SCO UnixWare Release 7.1.1
	Maintenance Pack 5 or later.  See

	ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
	and
	ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt

	6.2 Verification

	MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	6.3 Installing Fixed Binaries

	See uw711mp5.txt and uw711mp5_errata.txt for install instructions.

7. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 
		http://www.packetfactory.net/projects/libexploit/ 
		http://www.bpfh.net/simes/computing/chroot-break.html
		http://www.linuxsecurity.com/content/view/117632/49/

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr887824 fz528555
	erg712509.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)

iD8DBQFB6GDDaqoBO7ipriERAgpwAJ9ohWuGizBGP5rLwQfBvMkDtZdVIQCfQQaF
+ysj7pTq2BCUn+5vqu7CJvA=
=EDUn
-----END PGP SIGNATURE-----
    

- 漏洞信息

13057
SCO UnixWare Chroot Unspecified Escape

- 漏洞描述

A chroot() call is implemented in AtheOS, and its behavior is supposed to be POSIX conformant. Once chroot(<directory>) is issued by a process, <directory> should become the base directory ('/') with no way to go out of the jail. That feature is widely used to protect applications against unwanted directory traversals (ftp, http, etc.) . After a chroot() call on AtheOS, '/' indeed seems to become the base directory. '/path/to/file' is translated to '<directory>/path/to/file' . Unfortunately, relative paths aren't checked against the current chroot jail. Therefore, '../../../../path/to/file' will be translated to a file out of the chroot limits.

- 时间线

2005-01-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SCO UnixWare/OpenServer Unspecified CHRoot Breakout Vulnerability
Design Error 12300
No Yes
2005-01-18 12:00:00 2009-07-12 10:06:00
Discovery of this vulnerability is credited to Simon Roses Femerling.

- 受影响的程序版本

SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open Server 5.0.7
SCO Open Server 5.0.6

- 漏洞讨论

SCO UnixWare and OpenServer are reported prone to an unspecified chroot breaking vulnerability.

An attacker that has local interactive access to a computer that is running a vulnerable version of UnixWare may exploit this vulnerability to break out of a chroot prison that they reside in.

Specific details in regards to this vulnerability are not currently available. This BID will be updated as soon as further information is made available.

- 漏洞利用

Shellcode to trigger this vulnerability is available in Simon Roses Femerling 'LibExploit' library. This library is available at the following location:

http://www.packetfactory.net/projects/libexploit/

- 解决方案

The vendor has released an advisory (SCOSA-2005.2) and fixes to address this vulnerability for UnixWare.

A fix for UnixWare 7.1.3 is included in UnixWare Release 7.1.3 Maintenance Pack 4 or later and a fix for UnixWare 7.1.1 is available in UnixWare Release 7.1.1 Maintenance Pack 5 or later

The vendor has released an advisory (SCOSA-2005.22) and fixes to address this vulnerability for OpenServer.

Customers are advised to see the referenced advisories for further information in regards to obtaining and applying appropriate fixes.


SCO Open Server 5.0.6

SCO Open Server 5.0.7

SCO Unixware 7.1.4

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站