{"osvdb": [{"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "description": "## Vulnerability Description\nA chroot() call is implemented in AtheOS, and its behavior is supposed to\nbe POSIX conformant. Once chroot(<directory>) is issued by a process,\n<directory> should become the base directory ('/') with no way to go out of\nthe jail. That feature is widely used to protect applications against\nunwanted directory traversals (ftp, http, etc.) .\n\n After a chroot() call on AtheOS, '/' indeed seems to become the base\ndirectory. '/path/to/file' is translated to '<directory>/path/to/file' .\n\n Unfortunately, relative paths aren't checked against the current chroot\njail. Therefore, '../../../../path/to/file' will be translated to a file out\nof the chroot limits.\n## Short Description\nA chroot() call is implemented in AtheOS, and its behavior is supposed to\nbe POSIX conformant. Once chroot(<directory>) is issued by a process,\n<directory> should become the base directory ('/') with no way to go out of\nthe jail. That feature is widely used to protect applications against\nunwanted directory traversals (ftp, http, etc.) .\n\n After a chroot() call on AtheOS, '/' indeed seems to become the base\ndirectory. '/path/to/file' is translated to '<directory>/path/to/file' .\n\n Unfortunately, relative paths aren't checked against the current chroot\njail. Therefore, '../../../../path/to/file' will be translated to a file out\nof the chroot limits.\n## References:\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22/SCOSA-2005.22.txt)\n[Secunia Advisory ID:13915](https://secuniaresearch.flexerasoftware.com/advisories/13915/)\n[Secunia Advisory ID:15339](https://secuniaresearch.flexerasoftware.com/advisories/15339/)\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2/SCOSA-2005.2.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0594.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0136.html\n[CVE-2004-1124](https://vulners.com/cve/CVE-2004-1124)\n", "modified": "2005-01-14T16:12:58", "published": "2005-01-14T16:12:58", "href": "https://vulners.com/osvdb/OSVDB:13057", "id": "OSVDB:13057", "title": "SCO UnixWare Chroot Unspecified Escape", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n______________________________________________________________________________\r\n\r\n SCO Security Advisory\r\n\r\nSubject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a\r\nchroot prison.\r\nAdvisory number: SCOSA-2005.2\r\nIssue date: 2005 January 14\r\nCross reference: sr887824 fz528555 erg712509 CAN-2004-1124\r\n______________________________________________________________________________\r\n\r\n\r\n1. Problem Description\r\n\r\n chroot() is a system call that is often used to provide an\r\n additional layer of security when untrusted programs are\r\n run. The call to chroot() is normally used to ensure that\r\n code run after it can only access files at or below a given\r\n directory. \r\n\r\n Originally, chroot() was used to test systems software in \r\n a safe environment. It is now generally used to lock users \r\n into an area of the file system so that they can not look \r\n at or affect the important parts of the system they are on. \r\n \r\n Several programs use chroot jails to ensure that even if \r\n you break into the process's address space, you can't do \r\n anything harmful to the whole system. If chroot() can be \r\n broken then this precaution is broken. \r\n\r\n A known exploit can break a chroot prison.\r\n\r\n The Common Vulnerabilities and Exposures project \r\n (cve.mitre.org) has assigned the name CAN-2004-1124 to t\r\n his issue.\r\n\r\n A new file system tunable, CHROOT_SECURITY is provided to\r\n protect against the known exploit for escaping from a chroot\r\n prison. The new tunable is described in /etc/conf/dtune.d/fs\r\n and defined in /etc/conf/mtune.d/fs. Protection is provided\r\n by the default value of 1 but traditional behavior may be\r\n obtained by resetting CHROOT_SECURITY to 0. \r\n\r\n chroot() is a good way to increase the security of the\r\n software provided that secure programming guidelines are \r\n utilized and chroot() system call limitations are taken \r\n into account. Chrooting will prevent an attacker from \r\n reading files outside the chroot jail and will prevent \r\n many local UNIX attacks (such as SUID abuse and /tmp \r\n race conditions).\r\n\r\n The number of ways that root user can break out of chroot \r\n is huge. If there is no root user defined within the \r\n chroot environment, no SUID binaries, no devices, and \r\n the daemon itself dropped root privileges right after \r\n calling chroot() call breaking out of chroot appears to \r\n be impossible.\r\n\r\n2. Vulnerable Supported Versions\r\n\r\n System Binaries\r\n ----------------------------------------------------------------------\r\n UnixWare 7.1.4 /etc/conf/pack.d/namefs/Driver_atup.o\r\n /etc/conf/pack.d/namefs/Driver_mp.o\r\n /usr/include/sys/vfs.h\r\n\r\n UnixWare 7.1.3 See Maintainance pack 4\r\n\r\n UnixWare 7.1.1 See Maintainance pack 5\r\n \r\n\r\n3. Solution\r\n\r\n The proper solution is to install the latest packages.\r\n\r\n\r\n4. UnixWare 7.1.4\r\n\r\n 4.1 Location of Fixed Binaries\r\n\r\n ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2\r\n\r\n 4.2 Verification\r\n\r\n MD5 (erg712629c.pkg.Z) = 480ecc98f9c918a3b35082c1bef2aa44\r\n\r\n md5 is available for download from\r\n ftp://ftp.sco.com/pub/security/tools\r\n\r\n\r\n 4.3 Installing Fixed Binaries\r\n\r\n Upgrade the affected binaries with the following sequence:\r\n\r\n Download erg712629c.pkg.Z to the /var/spool/pkg directory\r\n\r\n # uncompress /var/spool/pkg/erg712629c.pkg.Z\r\n # pkgadd -d /var/spool/pkg/erg712629c.pkg\r\n\r\n\r\n5. UnixWare 7.1.3\r\n\r\n 5.1 Location of Fixed Binaries\r\n\r\n The fixes are available in SCO UnixWare Release 7.1.3\r\n Maintenance Pack 4 or later. See\r\n\r\n ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.txt\r\n or\r\n ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.html\r\n\r\n 5.2 Verification\r\n\r\n MD5 (uw713mp4.image) = 7eb9e20ed6a6d9ed1ab7335323bf25d1\r\n\r\n md5 is available for download from\r\n ftp://ftp.sco.com/pub/security/tools\r\n\r\n\r\n 5.3 Installing Fixed Binaries\r\n\r\n Upgrade the affected binaries with the following sequence:\r\n\r\n Download uw713mp4.image to the /var/spool/pkg directory\r\n\r\n # pkgadd -d /var/spool/pkg/uw713mp4.image\r\n\r\n\r\n6. UnixWare 7.1.1\r\n\r\n 6.1 Location of Fixed Binaries\r\n\r\n The fixes are available in SCO UnixWare Release 7.1.1\r\n Maintenance Pack 5 or later. See\r\n\r\n ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt\r\n and\r\n ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt\r\n\r\n 6.2 Verification\r\n\r\n MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a\r\n\r\n md5 is available for download from\r\n ftp://ftp.sco.com/pub/security/tools\r\n\r\n 6.3 Installing Fixed Binaries\r\n\r\n See uw711mp5.txt and uw711mp5_errata.txt for install instructions.\r\n\r\n7. References\r\n\r\n Specific references for this advisory:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 \r\n http://www.packetfactory.net/projects/libexploit/ \r\n http://www.bpfh.net/simes/computing/chroot-break.html\r\n http://www.linuxsecurity.com/content/view/117632/49/\r\n\r\n SCO security resources:\r\n http://www.sco.com/support/security/index.html\r\n\r\n SCO security advisories via email\r\n http://www.sco.com/support/forums/security.html\r\n\r\n This security fix closes SCO incidents sr887824 fz528555\r\n erg712509.\r\n\r\n\r\n8. Disclaimer\r\n\r\n SCO is not responsible for the misuse of any of the information\r\n we provide on this website and/or through our security\r\n advisories. Our advisories are a service to our customers\r\n intended to promote secure installation and use of SCO\r\n products.\r\n\r\n\r\n9. Acknowledgments\r\n\r\n SCO would like to thank Simon Roses Femerling\r\n\r\n______________________________________________________________________________\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.0 (SCO/UNIX_SVR5)\r\n\r\niD8DBQFB6GDDaqoBO7ipriERAgpwAJ9ohWuGizBGP5rLwQfBvMkDtZdVIQCfQQaF\r\n+ysj7pTq2BCUn+5vqu7CJvA=\r\n=EDUn\r\n-----END PGP SIGNATURE-----", "modified": "2005-01-19T00:00:00", "published": "2005-01-19T00:00:00", "id": "SECURITYVULNS:DOC:7627", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7627", "title": "UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison.", "type": "securityvulns", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}