SCO UnixWare Chroot Unspecified Escape

2005-01-14T16:12:58
ID OSVDB:13057
Type osvdb
Reporter OSVDB
Modified 2005-01-14T16:12:58

Description

Vulnerability Description

A chroot() call is implemented in AtheOS, and its behavior is supposed to be POSIX conformant. Once chroot(<directory>) is issued by a process, <directory> should become the base directory ('/') with no way to go out of the jail. That feature is widely used to protect applications against unwanted directory traversals (ftp, http, etc.) .

After a chroot() call on AtheOS, '/' indeed seems to become the base directory. '/path/to/file' is translated to '<directory>/path/to/file' .

Unfortunately, relative paths aren't checked against the current chroot jail. Therefore, '../../../../path/to/file' will be translated to a file out of the chroot limits.

Short Description

A chroot() call is implemented in AtheOS, and its behavior is supposed to be POSIX conformant. Once chroot(<directory>) is issued by a process, <directory> should become the base directory ('/') with no way to go out of the jail. That feature is widely used to protect applications against unwanted directory traversals (ftp, http, etc.) .

After a chroot() call on AtheOS, '/' indeed seems to become the base directory. '/path/to/file' is translated to '<directory>/path/to/file' .

Unfortunately, relative paths aren't checked against the current chroot jail. Therefore, '../../../../path/to/file' will be translated to a file out of the chroot limits.

References:

Vendor Specific Advisory URL Secunia Advisory ID:13915 Secunia Advisory ID:15339 Other Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2/SCOSA-2005.2.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0594.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0136.html CVE-2004-1124