CVE-2006-2654
CVSS6.4
发布时间 :2006-06-01 21:02:00
修订时间 :2008-09-05 17:05:05
NMCOS    

[原文]Directory traversal vulnerability in smbfs smbfs on FreeBSD 4.10 up to 6.1 allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences. NOTE: this is similar to CVE-2006-1864, but this is a different implementation of smbfs, so it has a different CVE identifier.


[CNNVD]FreeBSD SMBFS 访问控制绕过漏洞(CNNVD-200606-016)

        FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。
        FreeBSD的smbfs对请求的路径处理存在漏洞,远程攻击者可能利用此漏洞在进行目录遍历,访问非授权的文件。
        FreeBSD的smbfs没有正确地过滤包含有反斜线的路径。具体的说,SMB/CIFS服务器将目录名"..\"解释为父目录,但smbfs以与其他目录同样的方式处理该目录。在smbfs加载文件系统的chroot环境中,攻击者可以摆脱这个chroot的限制,访问smbfs加载文件系统的任意其他目录。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:5.4FreeBSD 5.4
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:5.1:release_p1
cpe:/o:freebsd:freebsd:5.0:release
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.4:stable
cpe:/o:freebsd:freebsd:5.4:release
cpe:/o:freebsd:freebsd:6.0:release
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:6.0:stable
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.2.1FreeBSD 5.2.1
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:5.4:releng
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:6.0FreeBSD 6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2654
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2654
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-016
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18202
(UNKNOWN)  BID  18202
http://security.freebsd.org/advisories/FreeBSD-SA-06:16.smbfs.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-06:16
http://secunia.com/advisories/20390
(VENDOR_ADVISORY)  SECUNIA  20390
http://xforce.iss.net/xforce/xfdb/26860
(UNKNOWN)  XF  freebsd-smbfs-directory-traversal(26860)
http://www.osvdb.org/25851
(UNKNOWN)  OSVDB  25851
http://securitytracker.com/id?1016194
(UNKNOWN)  SECTRACK  1016194

- 漏洞信息

FreeBSD SMBFS 访问控制绕过漏洞
中危 路径遍历
2006-06-01 00:00:00 2006-06-01 00:00:00
本地  
        FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。
        FreeBSD的smbfs对请求的路径处理存在漏洞,远程攻击者可能利用此漏洞在进行目录遍历,访问非授权的文件。
        FreeBSD的smbfs没有正确地过滤包含有反斜线的路径。具体的说,SMB/CIFS服务器将目录名"..\"解释为父目录,但smbfs以与其他目录同样的方式处理该目录。在smbfs加载文件系统的chroot环境中,攻击者可以摆脱这个chroot的限制,访问smbfs加载文件系统的任意其他目录。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:16.smbfs.asc

- 漏洞信息

25851
FreeBSD SMBFS Traversal chroot Bypass
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that allows a remote attacker to escape a chroot environment when the chroot is implemented over a Server Message Block File System (SMBFS). The issue is due to the SMBFS not properly sanitizing user input, specifically directory traversal style attacks (..\). This flaw may lead to a loss of integrity.

- 时间线

2006-05-31 Unknow
2006-05-31 Unknow

- 解决方案

Upgrade to version 4.11, 5.5 or 6.1 or higher, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions. It is also possible to correct the flaw by implementing the following workaround: mount the SMBFS so that the chroot directory is on a mount point and not a subdirectory of a mount point.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD SMBFS CHRoot Security Restriction Bypass Vulnerability
Input Validation Error 18202
No Yes
2006-06-01 12:00:00 2006-06-01 06:52:00
Marcel Holtmann is credited with the discovery of this vulnerability in the Linux kernel. The vendor reported that this issue also affects FreeBSD.

- 受影响的程序版本

FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 6.1 -STABLE
FreeBSD FreeBSD 6.1 -RELEASE
FreeBSD FreeBSD 5.4-STABLE

- 漏洞讨论

FreeBSD is prone to a vulnerability that allows attackers to bypass a security restriction. This issue is due to a failure in the kernel to properly sanitize user-supplied data.

The problem affects chroot inside of an SMB-mounted filesystem ('smbfs'). A local attacker who is bounded by the chroot can exploit this issue to bypass the chroot restriction and then gain unauthorized access to the filesystem.

Although this issue is identical to the vulnerability described in BID 17735 (Linux Kernel SMBFS CHRoot Security Restriction Bypass Vulnerability), this issue has been assigned a CVE number (CVE-2006-2654).

- 漏洞利用

This issue can be exploited via normal system commands.

- 解决方案

FreeBSD advisory FreeBSD-SA-06:16.smbfs, including fixes, is available.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站