UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison.

2005-01-19T00:00:00
ID SECURITYVULNS:DOC:7627
Type securityvulns
Reporter Securityvulns
Modified 2005-01-19T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


                    SCO Security Advisory

Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison. Advisory number: SCOSA-2005.2 Issue date: 2005 January 14 Cross reference: sr887824 fz528555 erg712509 CAN-2004-1124


  1. Problem Description

    chroot() is a system call that is often used to provide an
    additional layer of security when untrusted programs are
    run. The call to chroot() is normally used to ensure that
    code run after it can only access files at or below a given
    directory.
    
    Originally, chroot() was used to test systems software in 
    a safe environment. It is now generally used to lock users 
    into an area of the file system so that they can not look 
    at or affect the important parts of the system they are on.
    
    Several programs use chroot jails to ensure that even if 
    you break into the process's address space, you can't do 
    anything harmful to the whole system. If chroot() can be 
    broken then this precaution is broken.
    
    A known exploit can break a chroot prison.
    
    The Common Vulnerabilities and Exposures project 
    (cve.mitre.org) has assigned the name CAN-2004-1124 to t
    his issue.
    
    A new file system tunable, CHROOT_SECURITY is provided to
    protect against the known exploit for escaping from a chroot
    prison. The new tunable is described in /etc/conf/dtune.d/fs
    and defined in /etc/conf/mtune.d/fs. Protection is provided
    by the default value of 1 but traditional behavior may be
    obtained by resetting CHROOT_SECURITY to 0.
    
    chroot() is a good way to increase the security of the
    software provided that secure programming guidelines are 
    utilized and chroot() system call limitations are taken 
    into account.  Chrooting will prevent an attacker from 
    reading files outside the chroot jail and will prevent 
    many local UNIX attacks (such as SUID abuse and /tmp 
    race conditions).
    
    The number of ways that root user can break out of chroot 
    is huge.  If there is no root user defined within the 
    chroot environment, no SUID binaries, no devices, and 
    the daemon itself dropped root privileges right after 
    calling chroot() call breaking out of chroot appears to 
    be impossible.
    
  2. Vulnerable Supported Versions

    System                          Binaries
    ----------------------------------------------------------------------
    UnixWare 7.1.4                  /etc/conf/pack.d/namefs/Driver_atup.o
                                    /etc/conf/pack.d/namefs/Driver_mp.o
                                    /usr/include/sys/vfs.h
    
    UnixWare 7.1.3                  See Maintainance pack 4
    
    UnixWare 7.1.1                  See Maintainance pack 5
    
  3. Solution

    The proper solution is to install the latest packages.
    
  4. UnixWare 7.1.4

    4.1 Location of Fixed Binaries
    
    ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2
    
    4.2 Verification
    
    MD5 (erg712629c.pkg.Z) = 480ecc98f9c918a3b35082c1bef2aa44
    
    md5 is available for download from
            ftp://ftp.sco.com/pub/security/tools
    
    4.3 Installing Fixed Binaries
    
    Upgrade the affected binaries with the following sequence:
    
    Download erg712629c.pkg.Z to the /var/spool/pkg directory
    
    # uncompress /var/spool/pkg/erg712629c.pkg.Z
    # pkgadd -d /var/spool/pkg/erg712629c.pkg
    
  5. UnixWare 7.1.3

    5.1 Location of Fixed Binaries
    
    The fixes are available in SCO UnixWare Release 7.1.3
    Maintenance Pack 4 or later.  See
    
    ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.txt
    or
    ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.html
    
    5.2 Verification
    
    MD5 (uw713mp4.image) = 7eb9e20ed6a6d9ed1ab7335323bf25d1
    
    md5 is available for download from
            ftp://ftp.sco.com/pub/security/tools
    
    5.3 Installing Fixed Binaries
    
    Upgrade the affected binaries with the following sequence:
    
    Download uw713mp4.image to the /var/spool/pkg directory
    
    # pkgadd -d /var/spool/pkg/uw713mp4.image
    
  6. UnixWare 7.1.1

    6.1 Location of Fixed Binaries
    
    The fixes are available in SCO UnixWare Release 7.1.1
    Maintenance Pack 5 or later.  See
    
    ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
    and
    ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt
    
    6.2 Verification
    
    MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a
    
    md5 is available for download from
            ftp://ftp.sco.com/pub/security/tools
    
    6.3 Installing Fixed Binaries
    
    See uw711mp5.txt and uw711mp5_errata.txt for install instructions.
    
  7. References

    Specific references for this advisory:
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 
            http://www.packetfactory.net/projects/libexploit/ 
            http://www.bpfh.net/simes/computing/chroot-break.html
            http://www.linuxsecurity.com/content/view/117632/49/
    
    SCO security resources:
            http://www.sco.com/support/security/index.html
    
    SCO security advisories via email
            http://www.sco.com/support/forums/security.html
    
    This security fix closes SCO incidents sr887824 fz528555
    erg712509.
    
  8. Disclaimer

    SCO is not responsible for the misuse of any of the information
    we provide on this website and/or through our security
    advisories. Our advisories are a service to our customers
    intended to promote secure installation and use of SCO
    products.
    
  9. Acknowledgments

    SCO would like to thank Simon Roses Femerling
    

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)

iD8DBQFB6GDDaqoBO7ipriERAgpwAJ9ohWuGizBGP5rLwQfBvMkDtZdVIQCfQQaF +ysj7pTq2BCUn+5vqu7CJvA= =EDUn -----END PGP SIGNATURE-----