what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SCOSA-2005.2.txt

SCOSA-2005.2.txt
Posted Jan 19, 2005
Site sco.com

SCO Security Advisory - SCO has just come to terms with the fact that chroot jails can be broken out of.

tags | advisory
advisories | CVE-2004-1124
SHA-256 | ab65a3303eed13d35df02e8d19583bb970e1119ea57e1881df6d8e714d105a77

SCOSA-2005.2.txt

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison.
Advisory number: SCOSA-2005.2
Issue date: 2005 January 14
Cross reference: sr887824 fz528555 erg712509 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

chroot() is a system call that is often used to provide an
additional layer of security when untrusted programs are
run. The call to chroot() is normally used to ensure that
code run after it can only access files at or below a given
directory.

Originally, chroot() was used to test systems software in
a safe environment. It is now generally used to lock users
into an area of the file system so that they can not look
at or affect the important parts of the system they are on.

Several programs use chroot jails to ensure that even if
you break into the process's address space, you can't do
anything harmful to the whole system. If chroot() can be
broken then this precaution is broken.

A known exploit can break a chroot prison.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1124 to t
his issue.

A new file system tunable, CHROOT_SECURITY is provided to
protect against the known exploit for escaping from a chroot
prison. The new tunable is described in /etc/conf/dtune.d/fs
and defined in /etc/conf/mtune.d/fs. Protection is provided
by the default value of 1 but traditional behavior may be
obtained by resetting CHROOT_SECURITY to 0.

chroot() is a good way to increase the security of the
software provided that secure programming guidelines are
utilized and chroot() system call limitations are taken
into account. Chrooting will prevent an attacker from
reading files outside the chroot jail and will prevent
many local UNIX attacks (such as SUID abuse and /tmp
race conditions).

The number of ways that root user can break out of chroot
is huge. If there is no root user defined within the
chroot environment, no SUID binaries, no devices, and
the daemon itself dropped root privileges right after
calling chroot() call breaking out of chroot appears to
be impossible.

2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 /etc/conf/pack.d/namefs/Driver_atup.o
/etc/conf/pack.d/namefs/Driver_mp.o
/usr/include/sys/vfs.h

UnixWare 7.1.3 See Maintainance pack 4

UnixWare 7.1.1 See Maintainance pack 5


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.4

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2

4.2 Verification

MD5 (erg712629c.pkg.Z) = 480ecc98f9c918a3b35082c1bef2aa44

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download erg712629c.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712629c.pkg.Z
# pkgadd -d /var/spool/pkg/erg712629c.pkg


5. UnixWare 7.1.3

5.1 Location of Fixed Binaries

The fixes are available in SCO UnixWare Release 7.1.3
Maintenance Pack 4 or later. See

ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.txt
or
ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.html

5.2 Verification

MD5 (uw713mp4.image) = 7eb9e20ed6a6d9ed1ab7335323bf25d1

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download uw713mp4.image to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/uw713mp4.image


6. UnixWare 7.1.1

6.1 Location of Fixed Binaries

The fixes are available in SCO UnixWare Release 7.1.1
Maintenance Pack 5 or later. See

ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
and
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt

6.2 Verification

MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools

6.3 Installing Fixed Binaries

See uw711mp5.txt and uw711mp5_errata.txt for install instructions.

7. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124
http://www.packetfactory.net/projects/libexploit/
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.linuxsecurity.com/content/view/117632/49/

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr887824 fz528555
erg712509.


8. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


9. Acknowledgments

SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)

iD8DBQFB6GDDaqoBO7ipriERAgpwAJ9ohWuGizBGP5rLwQfBvMkDtZdVIQCfQQaF
+ysj7pTq2BCUn+5vqu7CJvA=
=EDUn
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close