<<< Date Index >>>     <<< Thread Index >>>

UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A known exploit can break a chroot prison.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : chroot A 
known exploit can break a chroot prison.
Advisory number:        SCOSA-2005.2
Issue date:             2005 January 14
Cross reference:        sr887824 fz528555 erg712509 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

        chroot() is a system call that is often used to provide an
        additional layer of security when untrusted programs are
        run. The call to chroot() is normally used to ensure that
        code run after it can only access files at or below a given
        directory. 

        Originally, chroot() was used to test systems software in 
        a safe environment. It is now generally used to lock users 
        into an area of the file system so that they can not look 
        at or affect the important parts of the system they are on. 
        
        Several programs use chroot jails to ensure that even if 
        you break into the process's address space, you can't do 
        anything harmful to the whole system. If chroot() can be 
        broken then this precaution is broken. 

        A known exploit can break a chroot prison.

        The Common Vulnerabilities and Exposures project 
        (cve.mitre.org) has assigned the name CAN-2004-1124 to t
        his issue.

        A new file system tunable, CHROOT_SECURITY is provided to
        protect against the known exploit for escaping from a chroot
        prison. The new tunable is described in /etc/conf/dtune.d/fs
        and defined in /etc/conf/mtune.d/fs. Protection is provided
        by the default value of 1 but traditional behavior may be
        obtained by resetting CHROOT_SECURITY to 0. 

        chroot() is a good way to increase the security of the
        software provided that secure programming guidelines are 
        utilized and chroot() system call limitations are taken 
        into account.  Chrooting will prevent an attacker from 
        reading files outside the chroot jail and will prevent 
        many local UNIX attacks (such as SUID abuse and /tmp 
        race conditions).

        The number of ways that root user can break out of chroot 
        is huge.  If there is no root user defined within the 
        chroot environment, no SUID binaries, no devices, and 
        the daemon itself dropped root privileges right after 
        calling chroot() call breaking out of chroot appears to 
        be impossible.

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.4                  /etc/conf/pack.d/namefs/Driver_atup.o
                                        /etc/conf/pack.d/namefs/Driver_mp.o
                                        /usr/include/sys/vfs.h

        UnixWare 7.1.3                  See Maintainance pack 4

        UnixWare 7.1.1                  See Maintainance pack 5
                                

3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.4

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.2

        4.2 Verification

        MD5 (erg712629c.pkg.Z) = 480ecc98f9c918a3b35082c1bef2aa44

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712629c.pkg.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg712629c.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712629c.pkg


5. UnixWare 7.1.3

        5.1 Location of Fixed Binaries

        The fixes are available in SCO UnixWare Release 7.1.3
        Maintenance Pack 4 or later.  See

        ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.txt
        or
        ftp://ftp.sco.com/pub/unixware7/713/mp/mp4/uw713mp4.html

        5.2 Verification

        MD5 (uw713mp4.image) = 7eb9e20ed6a6d9ed1ab7335323bf25d1

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download uw713mp4.image to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/uw713mp4.image


6. UnixWare 7.1.1

        6.1 Location of Fixed Binaries

        The fixes are available in SCO UnixWare Release 7.1.1
        Maintenance Pack 5 or later.  See

        ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
        and
        ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt

        6.2 Verification

        MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        6.3 Installing Fixed Binaries

        See uw711mp5.txt and uw711mp5_errata.txt for install instructions.

7. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 
                http://www.packetfactory.net/projects/libexploit/ 
                http://www.bpfh.net/simes/computing/chroot-break.html
                http://www.linuxsecurity.com/content/view/117632/49/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr887824 fz528555
        erg712509.


8. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


9. Acknowledgments

        SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)

iD8DBQFB6GDDaqoBO7ipriERAgpwAJ9ohWuGizBGP5rLwQfBvMkDtZdVIQCfQQaF
+ysj7pTq2BCUn+5vqu7CJvA=
=EDUn
-----END PGP SIGNATURE-----