|
FreeBSD jail rc.d Security Bypass Vulnerability
|
|
Secunia Advisory:
|
SA23730
|
|
|
Release Date:
|
2007-01-12
|
|
Last Update:
|
2007-08-02
|
|
Popularity:
|
8,998 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | FreeBSD 5.x
FreeBSD 6.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2007-0166
|
|
Description:
A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to the jail rc.d script not properly checking paths inside a jail file system structure before usage. This can be exploited via symlink attacks by the root user inside a jail to overwrite files outside the jail using /var/log/console.log or to mount or unmount file systems on the host system.
Successful exploitation allows execution of arbitrary commands with non-jailed superuser privileges.
NOTE: The vulnerability occurs only when a jail is being started or stopped using the host's jail rc.d script. Running jails cannot exploit this.
The vulnerability is reported in all FreeBSD releases since 5.3.
Solution:
Update FreeBSD or apply patches.
Fixed versions:
2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE)
2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE)
2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12)
2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17)
2007-01-11 18:18:57 UTC (RELENG_5, 5.5-STABLE)
2007-01-11 18:19:33 UTC (RELENG_5_5, 5.5-RELEASE-p10)
Patches:
FreeBSD 5.5:
http://security.FreeBSD.org/patches/SA-07:01/jail5.patch
http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc
FreeBSD 6.0:
http://security.FreeBSD.org/patches/SA-07:01/jail60.patch
http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc
FreeBSD 6.1:
http://security.FreeBSD.org/patches/SA-07:01/jail61.patch
http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc
NOTE:
The original patch for FreeBSD 5.5 was incorrect. Users that applied the original patch should apply the following corrective patch to fix the problem:
http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch
http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch.asc
Provided and/or discovered by:
The vendor credits Dirk Engling.
Changelog:
2007-01-17: Added CVE reference.
2007-08-02: Added information about corrective patch for FreeBSD 5.5 to the Solution.
Original Advisory:
http://security.freebsd.org/advisories/FreeBSD-SA-07:01.jail.asc
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
10th Oct, 2008
|
New advisories:
|
15 |
|
New vulnerabilities:
|
83 |
|
Updated advisories:
|
41 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
