To: [email protected], [email protected],
From: [email protected]Subject: OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Date: Wed, 11 May 2005 11:17:13 -0700
Message-ID: <20050511111713.A671@caldera.com.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Advisory number: SCOSA-2005.22
Issue date: May 11 2005
Cross reference: sr887583 fz528523 erg712505 CAN-2004-1124
______________________________________________________________________________
1. Problem Description
chroot() is a system call that is often used to provide an
additional layer of security when untrusted programs are
run. The call to chroot() is normally used to ensure that
code run after it can only access files at or below a given
directory.
Originally, chroot() was used to test systems software in
a safe environment. It is now generally used to lock users
into an area of the file system so that they can not look
at or affect the important parts of the system they are on.
Several programs use chroot jails to ensure that even if
you break into the process's address space, you can't do
anything harmful to the whole system. If chroot() can be
broken then this precaution is broken.
A known exploit can break a chroot prison.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1124 to t
his issue.
A new variable chroot_security has been added to
/etc/conf/pack.d/kernel/space.c, which if set should
prevent escape from chroot prison. The default value for
chroot_security is '1' to disable it set it to '0'.
chroot() is a good way to increase the security of the
software provided that secure programming guidelines are
utilized and chroot() system call limitations are taken
into account. Chrooting will prevent an attacker from
reading files outside the chroot jail and will prevent
many local UNIX attacks (such as SUID abuse and /tmp
race conditions).
The number of ways that root user can break out of chroot
is huge. If there is no root user defined within the
chroot environment, no SUID binaries, no devices, and
the daemon itself dropped root privileges right after
calling chroot() call breaking out of chroot appears to
be impossible.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /var/etc/conf/pack.d/kernel/sys4.o
OpenServer 5.0.7 /var/etc/conf/pack.d/kernel/sys4.o
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.6 / OpenServer 5.0.7
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22
4.2 Verification
MD5 (VOL.000.000) = 2446d28490219ddc4bab7e85ccd57723
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124http://www.packetfactory.net/projects/libexploit/http://www.bpfh.net/simes/computing/chroot-break.htmlhttp://www.linuxsecurity.com/content/view/117632/49/
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr887583 fz528523
erg712505.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Simon Roses Femerling
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCgjAcaqoBO7ipriERAoY5AJ42/dWsKWiavEOzIpR3vJF1U056bgCfRxOs
2EejxusY98xH4roOEG63mMM=
=UIvo
-----END PGP SIGNATURE-----