Linux Kernel SMBFS SMB Mount Traversal chroot Restriction Bypass

2006-04-19T09:02:36
ID OSVDB:25067
Type osvdb
Reporter Marcel Holtmann()
Modified 2006-04-19T09:02:36

Description

Vulnerability Description

The Linux Kernel contains a flaw that may allow a malicious user to escape a chroot environment. The issue is triggered when a user attempts to change to a working directory outside a chroot environment in a SMBFS file system using a double backslash, e.g. 'cd ..\'. It is possible that the flaw may allow unauthorised access to file system resources, resulting in a loss of confidentiality and/or integrity.

Solution Description

Upgrade to version 2.4.33, 2.6.16.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

The Linux Kernel contains a flaw that may allow a malicious user to escape a chroot environment. The issue is triggered when a user attempts to change to a working directory outside a chroot environment in a SMBFS file system using a double backslash, e.g. 'cd ..\'. It is possible that the flaw may allow unauthorised access to file system resources, resulting in a loss of confidentiality and/or integrity.

References:

Vendor Specific News/Changelog Entry: http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33 Vendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435 Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:20671 Secunia Advisory ID:21476 Secunia Advisory ID:22875 Secunia Advisory ID:23064 Secunia Advisory ID:20398 Secunia Advisory ID:21614 Secunia Advisory ID:19869 Secunia Advisory ID:20237 Secunia Advisory ID:21745 Secunia Advisory ID:21954 Secunia Advisory ID:22497 Secunia Advisory ID:20716 Secunia Advisory ID:21035 RedHat RHSA: RHSA-2006:0493 RedHat RHSA: RHSA-2006:0579 RedHat RHSA: RHSA-2006:0710 Other Advisory URL: http://www.us.debian.org/security/2006/dsa-1097 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0212.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0211.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0213.html Keyword: VMSA-2006-0007 Keyword: VMSA-2006-0005 Keyword: VMSA-2006-0008 Keyword: VMSA-2006-0006 CVE-2006-1864 Bugtraq ID: 17735