OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.

To: security-announce@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
From: please_reply_to_security@xxxxxxx
Date: Wed, 11 May 2005 11:17:13 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: please_reply_to_security@xxxxxxx
User-agent: Mutt/1.2.5i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.6  OpenServer 5.0.7 : chroot A known 
exploit can break a chroot prison.
Advisory number:        SCOSA-2005.22
Issue date:             May 11 2005
Cross reference:        sr887583 fz528523 erg712505 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

        chroot() is a system call that is often used to provide an
        additional layer of security when untrusted programs are
        run. The call to chroot() is normally used to ensure that
        code run after it can only access files at or below a given
        directory. 

        Originally, chroot() was used to test systems software in 
        a safe environment. It is now generally used to lock users 
        into an area of the file system so that they can not look 
        at or affect the important parts of the system they are on. 
        
        Several programs use chroot jails to ensure that even if 
        you break into the process's address space, you can't do 
        anything harmful to the whole system. If chroot() can be 
        broken then this precaution is broken. 

        A known exploit can break a chroot prison.

        The Common Vulnerabilities and Exposures project 
        (cve.mitre.org) has assigned the name CAN-2004-1124 to t
        his issue.

        A new variable chroot_security has been added to 
        /etc/conf/pack.d/kernel/space.c, which if set should 
        prevent escape from chroot prison.  The default value for 
        chroot_security is '1' to disable it set it to '0'.

        chroot() is a good way to increase the security of the
        software provided that secure programming guidelines are 
        utilized and chroot() system call limitations are taken 
        into account.  Chrooting will prevent an attacker from 
        reading files outside the chroot jail and will prevent 
        many local UNIX attacks (such as SUID abuse and /tmp 
        race conditions).

        The number of ways that root user can break out of chroot 
        is huge.  If there is no root user defined within the 
        chroot environment, no SUID binaries, no devices, and 
        the daemon itself dropped root privileges right after 
        calling chroot() call breaking out of chroot appears to 
        be impossible.

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6                /var/etc/conf/pack.d/kernel/sys4.o
        OpenServer 5.0.7                /var/etc/conf/pack.d/kernel/sys4.o

3. Solution

        The proper solution is to install the latest packages.

4. OpenServer 5.0.6 / OpenServer 5.0.7

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22

        4.2 Verification

        MD5 (VOL.000.000) = 2446d28490219ddc4bab7e85ccd57723  

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
        images, and specify the directory as the location of the
        images.


5. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 
                http://www.packetfactory.net/projects/libexploit/ 
                http://www.bpfh.net/simes/computing/chroot-break.html
                http://www.linuxsecurity.com/content/view/117632/49/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr887583 fz528523
        erg712505.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


7. Acknowledgments

        SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCgjAcaqoBO7ipriERAoY5AJ42/dWsKWiavEOzIpR3vJF1U056bgCfRxOs
2EejxusY98xH4roOEG63mMM=
=UIvo
-----END PGP SIGNATURE-----

Prev by Date: Re: Firefox Crash??
Next by Date: Re: Linux kernel ELF core dump privilege elevation
Previous by thread: BakBone NetVault last warning
Next by thread: Yappa-NG Multiple Vulnerabilities
Index(es):
- Date
- Thread