CVE-2005-2218
CVSS7.2
发布时间 :2005-07-26 00:00:00
修订时间 :2008-09-05 16:51:11
NMCOPS    

[原文]The device file system (devfs) in FreeBSD 5.x does not properly check parameters of the node type when creating a device node, which makes hidden devices available to attackers, who can then bypass restrictions on a jailed process.


[CNNVD]FreeBSD devfs 规则绕过漏洞(CNNVD-200507-262)

        FreeBSD就是一种运行在Intel平台上、可以自由使用的Unix系统。
        由于在创建设备时没有充分检查节点类型的参数,导致访问控制被绕过漏洞。这个漏洞使devfs加载的隐藏设备对攻击者可用,导致攻击者能从被限制权限的进程绕过访问控制规则,从而提升权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:5.4FreeBSD 5.4
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.2.1FreeBSD 5.2.1
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:5.4:releng
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.4:release

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2218
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2218
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-262
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-05:17
http://xforce.iss.net/xforce/xfdb/21451
(UNKNOWN)  XF  freebsd-devfs-gain-privileges(21451)
http://www.securityfocus.com/bid/14334
(UNKNOWN)  BID  14334
http://www.osvdb.org/18123
(UNKNOWN)  OSVDB  18123
http://securitytracker.com/id?1014536
(UNKNOWN)  SECTRACK  1014536
http://secunia.com/advisories/16145
(UNKNOWN)  SECUNIA  16145

- 漏洞信息

FreeBSD devfs 规则绕过漏洞
高危 访问验证错误
2005-07-26 00:00:00 2005-10-20 00:00:00
本地  
        FreeBSD就是一种运行在Intel平台上、可以自由使用的Unix系统。
        由于在创建设备时没有充分检查节点类型的参数,导致访问控制被绕过漏洞。这个漏洞使devfs加载的隐藏设备对攻击者可用,导致攻击者能从被限制权限的进程绕过访问控制规则,从而提升权限。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc

- 漏洞信息 (F38809)

FreeBSD-SA-05-17.devfs.txt (PacketStormID:F38809)
2005-07-21 00:00:00
 
advisory
freebsd
CVE-2005-2218
[点击下载]

FreeBSD Security Advisory FreeBSD-SA-05:17.devfs - Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:17.devfs                                      Security Advisory
                                                          The FreeBSD Project

Topic:          devfs ruleset bypass

Category:       core
Module:         devfs
Announced:      2005-07-20
Credits:        Robert Watson
Affects:        All FreeBSD 5.x releases
Corrected:      2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE)
                2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5)
                2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19)
CVE Name:       CAN-2005-2218

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace.  This includes access to
to system devices such as storage devices, kernel and system memory
devices, BPF devices, and serial port devices.  Devfs is is generally
mounted as /dev.  Devfs rulesets allow an administrator to hide
certain device nodes; this is most commonly applied to a devfs mounted
for use inside a jail, in order to make devices inaccessible to
processes within that jail.

II.  Problem Description

Due to insufficient parameter checking of the node type during device
creation, any user can expose hidden device nodes on devfs mounted
file systems within their jail.  Device nodes will be created in the
jail with their normal default access permissions.

III. Impact

Jailed processes can get access to restricted resources on the host
system.  For jailed processes running with superuser privileges this
implies access to all devices on the system.  This level of access
can lead to information leakage and privilege escalation.

IV.  Workaround

Unmount device file systems mounted inside jails.  Note that certain
device nodes, such as /dev/null, may be required for some software to
function correctly.

This can be done by executing the following command as root:

  umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference
`devfs' and has a mount point within a jail, so that they will not be
re-mounted at next reboot.

Some device file systems might be busy, including the host's main /dev
file system, and processes accessing these must be shut down before
the device file system can be unmounted.  The hosts main device file
system, mounted as /dev, should not be unmounted since it is required
for normal system operation.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4,
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.2.2
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.14
  src/sys/conf/newvers.sh                                  1.62.2.18.2.10
  src/sys/fs/devfs/devfs_vnops.c                             1.73.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.22
  src/sys/conf/newvers.sh                                  1.62.2.15.2.24
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2218

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFC3lYgFdaIBMps37IRAldmAJ458s06z3gkHNjn04R2Rq8XXwRKiQCffeJP
m9n3bmuoX0WJvckcdR8EhU4=
=2iFe
-----END PGP SIGNATURE-----
    

- 漏洞信息

18123
FreeBSD devfs Device Disclosure jail(2) Bypass
Local Access Required Information Disclosure
Loss of Integrity
Exploit Public

- 漏洞描述

The device file system (devfs) on FreeBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when devfs fails to sufficiently check parameters of the node type during device creation. This allows a malicious user to bypass devfs rulesets and access hidden device nodes on devfs mounted file systems within a jail. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2005-07-11 Unknow
2005-07-11 Unknow

- 解决方案

Upgrade to version 5-STABLE, or to the RELENG_5_4, or RELENG_5_3 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions. It is also possible to correct the flaw by implementing the following workaround: unmount device file systems mounted inside jails.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD Jail() Devfs Ruleset Bypass Vulnerability
Access Validation Error 14334
No Yes
2005-07-20 12:00:00 2009-07-12 04:06:00
The vendor reported this issue.

- 受影响的程序版本

FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0

- 漏洞讨论

FreeBSD is prone to a vulnerability that may allow local attackers to gain access to restricted resources on a computer.

This issue allows local attackers to access hidden device nodes on devfs file systems from within a jail. The attacker can create sensitive device nodes in the jail with default access permissions.

A successful attack can lead to information disclosure and privilege escalation.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

FreeBSD advisory FreeBSD-SA-05:17.devfs is available to address this issue. Please see the referenced advisory for more information.


FreeBSD FreeBSD 5.0

FreeBSD FreeBSD 5.3 -RELENG

FreeBSD FreeBSD 5.4 -RELENG

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站